10 Tips for Minimizing Cloud Security Risks

Melodi (Mel) Gates, Thomson Reuters Practical Law, Legaltech News

These tips can help institute best practices for drafting cloud computing agreements at your company or firm.

Cloud computing service arrangements frequently require organizations to share employee or customer personal information and other confidential data with service providers. In some cases, organizations must also grant vendors access to their current IT systems for transition or other purposes. Engaging third parties to perform services that involve handling personal information or accessing an organization's IT systems changes an organization's data security risk profile.

With counsels' advice, organizations should weigh any decision to use cloud computing services against potential privacy and data security risks. 

Organizations and their service providers are subject to an increasingly complex patchwork of federal, state and local laws; regulations; and industry standards that govern privacy and data security. Service providers may have more cybersecurity expertise and technical resources than individual customer organizations. However, managing risks is crucial because vendor deficiencies can render an organization's privacy and information security programs ineffective. Data breach reports and claims frequently point to service provider compliance issues as a basis for organizational liability. These events serve as reminders that organizations cannot outsource their accountability.

Effective vendor management processes include three key steps to minimize privacy and data security risks: performing pre-engagement due diligence, drafting and negotiating standard contract terms, and engaging in regular service provider oversight and contract enforcement.

Organizations should negotiate privacy and data security terms at the same time as pricing and other business terms. Service providers often seek to use their own privacy and data security terms and conditions. These vendor-friendly contract provisions may not fully meet the organization's specific requirements. However, even if business circumstances dictate using a vendor's agreement, by developing its own standard terms, an organization can better assess and manage the risks of using a particular vendor-supplied agreement.

There are 10 best practices that attorneys drafting and negotiating cloud computing agreements should keep in mind to help them to minimize privacy and data security risks while still gaining the operational benefits of outsourcing that their client organizations desire.

1. Specifically require service providers to comply with all applicable privacy and data security laws, regulations, and industry standards.

2. Define a minimum standard of care for privacy and data security, which may exceed or be more prescriptive than applicable laws and industry standards to meet the organization's particular needs, and require service providers to meet it, unless the customer organization specifically authorizes an exception.

3. Allow service providers to access the customer organization's IT systems and use its data only as required to perform the agreed-on services, unless the organization specifically grants authorization, for example, allowing the vendor to use its data for research or development purposes.

4. Prohibit service providers from disclosing the customer organization's data to third parties except as specifically authorized by the organization, such as to subcontractors or the vendor's legal counsel or other advisors. Disclosure prohibitions should also address how the service provider will handle any data requests from government authorities.

5. Require service providers to impose the same privacy and data security obligations on their subcontractors or other service providers and engage in the management and oversight necessary to ensure compliance by these third parties.

6. Include privacy and data security performance expectations and measures in any overall service level agreements (SLAs) negotiated for the services. SLAs are often used to define performance levels that vendors must achieve for IT-related services, assign incentives, and impose penalties. Addressing privacy and data security in overall SLAs increases vendor focus on and attention to these issues. Common performance expectations and measures include reporting for privacy and data security related activities and timeframes for addressing identified risks and reporting security incidents.

7. Require service providers to return or destroy, at the customer organization's request, all copies of the organization's data on termination of the agreement.

8. Define specific security incident reporting and response requirements, including timeframes, cost allocation, and responsibilities for handling data breaches and any ensuing liabilities.

9. Provide the customer organization with rights to audit or otherwise regularly assess and review the service provider's privacy and data security practices. Contract provisions should balance flexibility with commitments to support common assessment methods, such as direct audits performed by the organization or its contractors, vendor self-assessments, and independent third-party audits, assessments, or certifications. Service providers may be more willing to accept an approach that combines standard third-party audits or certifications with self-assessments that focus on the organization's specific requirements.

10. Address risk allocation, especially if a data breach or other security incident occurs. For example, service agreements should cover indemnification and cost allocation for regulatory penalties or other liabilities if service providers fail to meet privacy and data security requirements or are responsible for data breaches or other security incidents. Customer organizations should also consider requiring service providers to maintain cyberinsurance coverage, including specific policy limits, according to data sensitivity and other risks.

Organizations subject to laws and regulations that require specific contract provisions may consider creating a separate, standard contract exhibit or addendum to address those requirements. For example, covered entities under the Health Insurance Portability and Accountability Act (HIPAA) should consider creating a business associate agreement, in addition to their standard privacy and data security terms. Organizations that collect and process personal information for individuals in non-U.S. jurisdictions should also consider local data protection laws and regulations that may require additional data processing agreement provisions.

Original