Home – Mitigating Confidentiality Risks Posed by Cloud Computing

Mitigating Confidentiality Risks Posed by Cloud Computing

Mitigating Confidentiality Risks Posed by Cloud Computing

Storing and sharing data seems to get easier by the week. So does losing and stealing it. Cloud computing is yet another advancement in this arena, and like those that came before it–laptops, email, websites, flash drives – the benefits of this advancement comes with a few risks.

Some of those risks fall into the arena of legal ethics. Josh Gold of Anderson Kill & Olick says your outside counsel should disclose to you if they are employing clouds in their practice. Further, in-house counsel want to be sure firms are conducting thorough due diligence on cloud providers. You have to go beyond what they say in advertising, he said, by digging into their protocols, the software they use, how they handle emergencies, their representations and warranties, and much more. This information should be conducted by way of audits and/or detailed questionnaires.

Of course, even identifying strong vendors is not foolproof. “Anytime you entrust your data to a third party, you are incurring risk,” writes Nicole Black author of the newly released book, Cloud Computing for Lawyers. She tells lawyers they should apply to digital records the same confidentiality standards they apply to physical files.

While there are few ethical opinions on the subject, Black points to two organizations formed to create unified standards for cloud computing in the legal realm. The Legal Cloud Computing Association (www.legalcloudcomputingassociation.org) was established in 2010 by a group of cloud-computing companies. The International Legal Technologies Standards Organization (www.iltso.org) was formed in 2011 with a board comprising attorneys, IT professionals and business people.

The ILTSO recently released its 2011 Guidelines for Legal Professionals which breaks standards down into four “rings of control,” those being: My Local Networks, My Cloud Services, My Access Devices and My Ethical Considerations. The report is available for free at the organization’s website.

In her book, Nicole Black provides a starting point for due diligence that companies and firms alike can use in identifying the right cloud vendor. Here is that list:

1. What type of facility will host the data?

2. Who else has access to the cloud facility, the servers and the data and what mechanisms are in place to ensure that only authorized personnel will be able to access your data? How does the vendor screen its employees? If the vendor does not own the data center, how does the data center screen its employees?

3. Does the contract include terms that limit data access by the vendor’s employees to only those situations where you request assistance?

4. Does the contract address confidentiality? If not, is the vendor willing to sign a confidentiality agreement?

5. How frequently are back-ups performed? How are you able to verify that backups are being performed as promised?

6. Is data backed up on more than one server? Where are the respective servers located? Will your data, and any back-up copies of it, always stay within the boundaries of the United States?

7. How secure are the data centers where the servers are housed?

8. What types of encryption methods are used and how are passwords stored? Is your data encrypted while in transit or only when in storage?

9. Has a third party, such as McAfee, evaluated or tested the vendor’s security measures to assess the strength of, among other things, firewalls, encryption techniques, and intrusion detection systems? Are the audits of the security system available for your review?

10. Are there redundant power supplies for the servers?

11. Does the contract include a guarantee of uptime? How much uptime? Does the contract include historical data regarding uptime or will the provider give you that information? What happens in the event that the servers are down? Will you be compensated if there is an unexpected period of downtime that exceeds the amount set forth in the agreement?

12. If a natural disaster strikes one geographic reason, would all data be lost? Are there geo-redundant back-ups?

13. What remedies does the contract provide? Are consequential damages included? Are total damages capped or are specific remedies limited?

14. Does the agreement contain a forum selection clause? How about a mandatory arbitration clause?

15. If there is a data breach, will you be notified? How are costs for remedying the breach allocated?

16. What rights to you have upon termination? Does the contract contain terms that require the vendor to assist you in transitioning from their system to another?

17. What rights do you have in the event of a billing or similar dispute with a vendor? Do you have the option of having your data held in escrow by a third party, so that it is fully accessible in the even of a dispute? Alternatively can you back up your data locally so that it is accessible to you should you need it?

18. Does the provider carry cyber insurance? If so, what does it cover? What are the coverage limits?

Cloud Computing for Lawyers was published in January 2012 by the ABA Law Practice Management Section. Black is Of Counsel to Fiandach & Fiandach of Rochester, N.Y., and founder of lawtechtalk.com. The above list was excerpted with permission of the publisher and author. For more information about the book, click here.