This blog post is for informational and educational purposes only. Any legal information provided in this post should not be relied upon as legal advice. It is not intended to create, and does not create, an attorney-client relationship and readers should not act upon the information presented without first seeking legal counsel.

The idiom “out of sight out of mind” is just as relevant to the digital world as it is in other contexts, but in the digital world, one adheres to it at one’s own peril.  When using a cloud provider to host data, an organization may trust that the provider is taking appropriate steps to safeguard the data moved off site from loss and the organization from government investigations stemming from a breach. The parameters of the relationship, including handling of the organization’s data, are written into contracts or Terms of Use. However, trust is something that is earned, not written into a contract, and in today’s climate, should not be given easily.

Trust, but verify, as Ronald Reagan once said. This is a significant and timely issue because recent studies of American and European companies[1] reveal that many do not trust that their cloud provider abides by the laws to which it is subject and that many companies do not properly vet off site information management systems properly before their use.  In light of the recent news of breaches of retailers’ data and iCloud in the U.S., and revisions of the European Union Data Protection Directive that may place significant limitations on the use of hosted solutions for personal data of E.U. citizens, organizations and hosting providers should strive for mutual transparency in order establish a level of trust that will enhance data security.

When an organization stores information with a cloud provider, it implicitly trusts that the provider will keep the information safe from unauthorized disclosures and thereby keep the organization free from costly investigations associated with the failure to properly store and secure data. In fact, companies often write representations in this regard into the contract documents. Given the amount of data generated daily, an organization need not look further than Target, Michaels, Home Depot, or Community Health Systems to learn the hard reality that one misstep or flaw in an outsourced or internal information management protocol or system can become a costly mistake.

Trust in a cloud provider is therefore paramount and should be established through vetting a potential provider, including a discussion of the provider’s internal auditing process, and transparency in documentation early in the negotiation.  Yet, in the American study referenced above, 64% of the respondents did not believe that their cloud provider is in “full compliance” with data protection regulations while in the European study, that number jumped to 72%. Similarly, only 63% of companies in the American study and 55% in the European study thoroughly vet systems for security before deployment. Finally, a mere 63% and 48% of American and European companies are vigilant in conducting audits or assessments of cloud based information management solutions.

The survey highlights a growing problem for companies looking to outsource information management systems to gain the benefits usually associated with hosted solutions. Companies must confirm that cloud providers are actually employing the technology and security solutions explained in their marketing material because a breach can be devastating in legal and remediation costs and, perhaps more significantly, to reputation. Indeed, according the same survey, the average cost of a breach in the United States and European Union is $201.18 and $174.54 per record breached, respectively.

Fortunately, many of the risks can be managed through a cooperative process between the cloud services provider and the organization contracting for their services during the review and negotiation of the pertinent contract documents. Organizations should thoroughly vet a prospective cloud services provider’s security representations based on a number of criteria, including representations of compliance with state, federal, and law of foreign countries in which the organization has facilities. Different rules and regulations may apply to different types of data. For instance, HIPAA regulates medical information, Gramm Leach Bliley Act regulates financial information, and the European Data Protection Directive regulates all information in the European Union. Confirming that a cloud service provider practices the procedures it establishes for itself in accordance with the law and best practices can go a long way toward establishing a level of trust that would permit the organization’s CIO to sleep well.

[1] The studies were conducted by Netskope in conjunction with the Ponemon Institute.

—–

By Kenneth N Rashbaum Esq. and Jason M. Tenenbaum of Barton, LLP.