Warning: trim() expects parameter 1 to be string, array given in /home/ebusine4/public_html/libraries/joomla/html/parameter.php on line 83
Warning: Parameter 2 to plg_ijseo_redirect() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136
Warning: Parameter 2 to plgContentEmailCloak() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136
Warning: Parameter 2 to plgContentLoadModule() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136
Warning: Parameter 2 to plgContentPagebreak() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136
Over the weekend I read an interesting interview with security expert Jeremiah Grossman in MIT’s Technology Review “Being Smart About Cloud Security” (subscription required). The interview notes that “cloud computing” is often perceived to be a risky decision for many companies. Much of this perception has to do with storing customer and business information on third-party servers.
One point made in the interview, however, is that there are significant security advantages in using “cloud services” for businesses.
The average enterprise, whether you’re talking small, medium, or the largest of the large — they’re in their respective businesses. A bank isn’t in the business of technology. A retailer isn’t in the business of managing IT infrastructure … what you get from a cloud provider is the economies of scale — and somebody else to manage the problem [of security].
Based on my experience, I tend to agree with Mr. Grossman’s point that cloud computing services offer small to medium-size businesses significant security advantages. For example, a law firm where I formerly worked used a patchwork of security measures that were administered between an administrative assistant and a part-time third-party “everything-IT contractor,” e.g., web hosting, exchange server maintenance, IT sales, etc. To my knowledge, neither had any extensive training or experience in IT security.
Many small and medium-size businesses also rely on a similar IT security “solution.” The fact is, regardless of the IT security risks, most small and medium sized companies simply do not have the resources to dedicate to a full-time IT security expert.
Cloud Service Contracts and Legal Considerations
If your company is considering cloud computing services, either wholly to run the business or in part, there are numerous points that you should consider. A few are as follows:
- Data Location, Location, Location: Knowing where your data is stored is critical. Where data is located will often determine legal obligations for both personal customer data and corporate information.
- What Happens when the Lights Go Out: If your cloud service provider goes down, a business will lose access to its data. This often cuts into a company’s bottom line because the company will be unable to provide goods or services to their customers or lose productivity from employees. For this reason, it is important to learn about a cloud service provider’s reliability, service accessibility, and the overall performance. Cloud service contracts should also address when and to what extent a cloud user will be compensated for the loss of service.
- What Data Should be Stored in the Cloud: It is also important for businesses to consider what data will be subject to a cloud hosting agreement. This is because regulations governing certain types of data, such as health information protected under the Health Insurance Portability and Accountability Act (HIPAA) place restrictions on the release of data to third parties. Additionally, many industries have regulatory obligations that require certain data, such as personally identifiable information, to be encrypted. A cloud service provider, however, may not permit a user to customize cloud storage encryption standards. Even if there are no requirements for data to be encrypted, it should be. One reason is because many data breach laws, including Michigan, contain specific exemptions and protections for businesses if there is a data breach of encrypted data.
- Shifting Risks: Businesses that use cloud services are still responsible for their data, even after it is moved over to a cloud service provider. To the extent possible, it is important that businesses negotiate duties and responsibilities relating to service malfunctions or data breach notification duties. Even if there is no room to negotiate a cloud service contract, it is still important for businesses to understand their potential exposure for hosting data in the cloud.
As with most things in life and business, there are benefits to be had and risks to be addressed in relation to cloud hosting services.
Businesses using cloud services must understand that moving mission critical business and customer information over to a cloud service poses both operational and legal risks that must be addressed. Additionally, there are many complicated issues under the cloud service provider’s hosting contract that businesses need to consider. Failing to address these issues may sacrifice or impair a business organization’s ability to conduct business under normal conditions, as well as complying with obligations under extraordinary conditions, such as data breach or other applicable laws and regulations. Thus, it’s essential for businesses using cloud computing services to understand the scope and limitations of the services they receive, and the terms under which these services will be provided.
Feel free to contact Jason Shinn for more information about cloud service contracts and legal issues pertaining to data privacy protection.