Cloud Spotting

How the Right Cloud Service Provider Can Protect You from the Data Risks of Cloud Computing

Cloud computing is a service that provides users access to data stored at a remote location—referred to as the cloud. Subscribers can use the cloud to store data including documents, photos, media, as well as programs and infrastructure. While it is a relatively recent amenity implemented by businesses, organizations, and individuals, cloud-based services are quickly becoming a near necessity in the public and private sectors, and with good reason.

There are many benefits to cloud computing, regardless of the user. Subscribing to cloud services can reduce a company’s costs in hardware purchases. It also allows employees mobility in data access and offers additional data redundancy. But users must realize that, as with every technological advancement, the potential for new legal issues are hidden within the cloud. By taking the right steps, these concerns are far outweighed by the utility of cloud computing.

Placing data in the hands of another entity creates the possibility that the information could be transferred elsewhere or altogether lost. This potential remains present when businesses use cloud providers for data storage, application use, or otherwise. Jared Harshbarger wrote an in-depth article concerning the particular risks associated with cloud computing and addresses the ways in which a cloud provider can mitigate those risks and instill trust in the user. See Jared A. Harshbarger, CLOUD COMPUTING PROVIDERS AND DATA SECURITY LAW: BUILDING TRUST WITH UNITED STATES COMPANIES, 16 J. of Tech Law & Pol’y 229 (2011).

Among those risks is the unauthorized disclosure of personally identifiable information, including names, addresses, financial and health information, and other sensitive data. And just as a business remains exposed to being deprived of their physical data in the office, the risks associated with the cloud will perpetually endure to a varying degree.

But the world of cloud computing and data security is no legal void. As Harshbarger explains, legislatively-enacted safeguards protect users from a third party’s misuse of information. Federal legal remedies include HIPAA, which protects health-related information; the Gramm-Leach-Bliley Act, which shields personal financial information held by financial institutions; and the Red Flag Rules, which guard against identity theft. A few states have passed even more stringent data protection laws, a trend that could continue to grow. Further, international businesses may have the protection of additional foreign law. While government regulation offers some protection to the user, a cloud service provider can go even further to protect its customer.

Harshbarger asserts the most important safeguard for the cloud user is the service contract. For example, the agreement should warrant compliance with the applicable data security laws as listed above or provide direct recourse in the agreement for the user to hold the cloud provider liable for data misuse. The provider could also list a predetermined liquidated damage amount or indemnification for suits brought for compromised data, and a heightened standard of care. The service contract should explain the manner in which it will return data and destroy it upon the user’s request. With respect to accessibility, a provider may promise a percentage of “uptime”—the consistency with which the user will be able to access information—and a disaster recovery plan for when data loss is caused by nature and human nature.

Before subscribing to a cloud service provider, learn the business practices and policies in place to protect your data as well as the remedies available in the case of data misuse. By selecting the right cloud service provider, your organization will reap the benefits of additional data security at an affordable price.1

The site is not intended as legal advice or to substitute for a formal consultation with a licensed attorney. The content is provided for general information and reference purposes, and thus the reader should not rely on any information providing legal advice, nor is it to be construed as the formation of an attorney‐client relationship. Consult with your attorney for any legal advice.