BLOG POST

Tech & Sourcing @ Morgan Lewis

TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Companies across virtually all industries use (or are considering using) cloud services to support their businesses. SiliconAngle reports that more than 60% of businesses use cloud computing, and the average organization uses 545 cloud services.

Providers of cloud services offer powerful, scalable, and—in many cases—financially attractive solutions to meet various business needs, including technology needs (such as access to applications, storage, and computing power) as well as "business function" needs (such as payroll administration, recruitment assistance, and data analytics).

Some of the biggest impediments to placing data “in the cloud” are concerns regarding security and compliance with data privacy regulations. These issues are heightened for organizations handling sensitive or personal, financial, or health data. As data breaches in the news raise awareness about data security issues, smart companies are exploring new strategies for securing their data when using cloud services.

In Ben Rossi’s June 23 Information Age article, “Is SaaS safe? 5 tips for keeping data secure in the cloud,” Rossi provides some data security guidelines for companies using or considering cloud services.

Rossi’s five tips are summarized below:

  1. Choose your service provider with care. A service provider is only as good as the security procedures it uses to protect your data. Evaluate a provider’s security measures, such as password protections, encryption protocols, and user access limits. Different service providers offer contractual terms with varying degrees of protection for data breaches, such as indemnification rights and security audit rights. Many service providers receive certifications from outside organizations that evaluate companies for data security concerns. You should also consider the reputation of a provider and request that it provide a list of references from customers.
  1. Implement an organization-wide cloud computing policy. Draft and implement a policy that addresses cloud services issues (e.g., employee software access rights). The policy should set out any restrictions on which employees may use various software offerings, as well as technical access rules (e.g., accessing cloud applications from work computers vs. personal mobile devices). IT Manager Daily’s template policy may help you “issue-spot” for your cloud services policy, although companies should consider consulting an attorney prior to instituting this or any policy.
  1. Keep your most sensitive data at home. You may choose to parse your data and not migrate data such as trade secrets or sensitive health or financial records to the cloud. Rossi advises a conservative approach: “If it isn’t necessary for sensitive data—such as personal or proprietary—to be online, store it on your local server instead.” SaaS applications designed to work across platforms can process data from a local or other, protected source.
  1. Implement security measures. You can also implement policies and procedures within your organization to help protect your company’s data. For instance, anti-virus software, employee password strength rules, and secure protocols for password recovery are standard in many industries.
  1. Review or perform security audits. First, you should ensure that your contract with your security provider requires third party audits or allows you to perform security audits. Many vendors hire reputable third party auditors and share the audit results with their customers. You should review the audit results to determine if your provider is treating your data with the required care. The threat of audits may also motivate providers to comply with data security requirements.

Companies face some difficult decisions regarding whether to use cloud services and how to choose a provider. Companies should evaluate the different offerings in a given industry then review whether a cloud solution’s security measures are sufficient and whether the security and solution (including the transfer of data across borders) comply with the applicable data privacy requirements.