February 17, 2018

February 16, 2018

Subscribe to Latest Legal News and Analysis

February 15, 2018

Subscribe to Latest Legal News and Analysis

Best Practices in Cloud Computing

In our last blog post, we discussed the risks associated with cloud technology. Here, we will examine the best practices in cloud risk mitigation. 

Due Diligence. Perhaps the most important step in implementing cloud technology is choosing the best service provider to fit your company’s needs. Choosing a provider involves many different business considerations, and is not a decision that should be made by any one department or individual. Cloud implementation teams that include members from IT, legal, business and finance, and risk and procurement are best suited to tackle the complexities of these services. A cloud implementation team should create a request for proposal (RFP) that details the needs of the business. This document should be sent to service providers as part of a competitive bidding process. Background checks should be performed on each service provider to evaluate their financial stability, compliance with applicable law, security infrastructure and policies, customer reviews, and solvency. 

A Negotiated Services Agreement. Many businesses assume that along with the transfer of their data, they have also transferred their risk to the cloud provider, but absent a clear agreement that shifts liability to the provider, this is untrue. The ideal cloud service provider should be willing to negotiate the conditions of your service level agreement (SLA) to fit your business’ needs. Vital components of any SLA include: a disaster recovery plan, allocation of liability, data encryption policy, limits on system downtime, termination policy, and indemnification for breach or interruption. Setting out the costs of implementation, maintenance, and ongoing cost for personnel and software at this point in the negotiation will ensure the financial longevity of a business’ cloud use. Once you have narrowed down your potential providers, a demonstration or an evaluation period can offer substantial insight into the provider’s capabilities. It is also important to consider: term-of-use commitments, fee increases, data ownership rights, audit rights, and transition services.

Insurance. Businesses should confirm that their own insurance policies cover cyber-related events; if they do not, obtaining a separate cyber insurance policy is a best practice. Such policies should clearly state the scope (e.g. geographic or otherwise) of coverage and define critical terms like “computer system” and “network”. Deductibles, claim limits, and indemnification exclusions should also be carefully considered. Just as in your SLA, it is critical to understand who bears the risk of a data breach under your insurance policy. 

Getting Help. The degree of security necessary for any cloud service will depend on the nature of the information that will be held in the cloud. Many companies who deal in sensitive information or are in a heavily-regulated industry choose to employ cloud brokers to guide them through the RFP process and outside counsel to assist in the detailed negotiation of the Service Agreement. 

© Polsinelli PC, Polsinelli LLP in California


About this Author

Kathryn T. Allen, Polsinelli PC, Intellectual Property Lawyer, Technology Licensing Attorney

Having begun her legal career as an in-house attorney, Kathryn Allen has a unique understanding on the needs of an organization when it comes to utilizing technology and intellectual property to promote its business goals.

Kathryn’s practice focuses on the often intersecting areas of information security/privacy, technology licensing/use, and intellectual property protection and monetization. She works in a variety of industries, including the heavily regulated health care and financial services industries as well as the technology startup and...