Data security in the cloud
I recently received an email from Apple notifying me that my cloud is nearly full and for an additional fee I can move onto an even larger cloud that can address all my virtual storage needs. This prompted me to question what exactly I was storing in the cloud and why. If you ask companies that have opted not to move to the cloud why they have resisted, by and large they will cite data security as the key inhibitor to cloud adoption within their organization.
But more and more companies are making the transition to the cloud and enjoying the efficiencies, lower costs, and conveniences associated with doing so. The tradeoff, of course, is loss of control over your own data and (what sometimes can be an unsettling) dependence on a cloud computing vendor. Following are some issues to think about if your business is considering a move to the cloud.
1. Does the vendor meet your specific needs? Many cloud services (like my Apple cloud) were designed with individual consumers in mind, not the enterprise. This means that not all cloud vendors are created alike and the move to the cloud must be done after a rigorous internal review of the enterprise’s needs. Once the internal review has concluded, shop your cloud computing and/or storage needs to more than one vendor. If you start asking the right questions you may find that the features and capabilities of vendors differ more than you otherwise may have expected.
2. How does the vendor handle data breaches? Keep in mind that your company’s data breach risk profile may shift dramatically with a move to the cloud. For example, smaller, technology-focused businesses may be amassing a significant amount of data, but in isolation the data is still an insignificant piece of the whole. But when those smaller companies co-locate their data in the cloud, the result is big data, which means a much bigger target for hackers. Hackers (at least those who don’t have a personal axe to grind) are tempted by big data. So your data, in isolation, may be uninteresting to a hacker, but that can change when combined with the data of similarly situated companies. Discuss with your vendor how it handles data breaches and make sure that you will be notified quickly, included in the investigation, and indemnified for the associated costs.
(Continued)
3. Does the vendor have relevant experience? If you are doing business internationally or in a heavily regulated industry (health care, financial services) you must find a vendor that is similarly experienced. International privacy laws are more stringent than those in the United States. Further, certain states, such as California, are becoming very active in the data privacy and security arena. Consider utilizing enterprise-controlled servers for the super-sensitive information (billing information, patient data, internal proprietary content, personnel data) while using cloud services for less sensitive data. Segmenting like this isn’t always possible, but it’s worth considering.
4. Is access to your data restricted? Don’t pick a vendor solely based on price … even if you believe the infrastructure and security features are competitive. Some cloud vendors increase their profitability by using customer information to gather analytics, which are then sold. Any use of or access to your data by your vendor should be described in the underlying contract. The contract should include access restrictions, authentication controls, encryption, security breach procedures, business continuity and data recovery plans, termination procedures, audit rights, and similar provisions.
Please contact your friendly neighborhood technology/privacy law lawyer for a full list of all the bells and whistles your cloud vendor contract should include.
Kate Bechen is an attorney with the law firm of Whyte Hirschboeck Dudek S.C., practicing in the areas of privacy law, technology law, health law, and general business matters. She can be reached at 414-978-5380 or kbechen@whdlaw.com.
Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.
