While planning for a move to the cloud, companies should look at how to best protect themselves from the potential liability of storing data off of their premises, Daren Orzechowski, a technology and intellectual property attorney at White & Case LLP, told CIO Journal.
Companies moving data to the cloud can face legal action stemming from cloud provider security lapses or vendor IP infringement, Mr. Orzechowski said. If consumer data is stolen or inadvertently released as a result of security lapses, companies can be fined by the Federal Trade Commission, even if the breach was the fault of the cloud provider, Mr. Orzechowski said.
To guard against these liabilities, Mr. Orzechowski says CIOs should push cloud providers for contractual protections that ensure the company will be compensated if vendor mistakes cause them to be sued. "The business should be trying to negotiate to get the cloud provider on the hook," Mr. Orzechowski said.
Contracts should ensure compensation if a cloud provider doesn't follow the law. For example, federal rules mandate that the financial industry screen certain employees for criminal histories if they handle customer data, Mr. Orzechowski said. If a cloud provider employed a former felon who then stole consumer financial data, resulting in a lawsuit against a bank, this clause would allow the bank to seek damages from the vendor, Mr. Orzechowski said.
A CIO's leverage to obtain these protections from a vendor depends on the size of the contract, said Mr. Orzechowski. Even large public cloud vendors may budge if the deal is big enough. "But if it's a smaller deal it's going to be very hard to get anything," Mr. Orzechowski said.
In cases when CIOs cannot obtain these contract protections, they should consider whether the savings or business advantages provided by the cloud are worth the risk of a future suit, Mr. Orzechowski said. "Sometimes the answer is you don't go to the cloud."