POWER OF INTELLIGENCE

Insight Center: Publications

Cloud Services Contracts: Cloud Computing's Dark Lining

Authors: Tabitha Rainey Sullivan and Sharon R. Klein

9/13/2011

Reproduced with permission from BNA's Privacy & Security Law Report, 10 PVLR 1317 (Sep. 12, 2011). Copyright 2011 by The Bureau of National Affairs, Inc. (800.372.1033)

Businesses seeking operating cost reductions by moving to the cloud face increased privacy and security risks, the authors warn, providing tips on how companies can help address those risks through the contracting process with cloud computing services providers.

Businesses are being driven by the recession to take advantage of cost-effective technologies such as cloud computing, despite the growing danger to the privacy and security of stored information in shared environments. In this article, we will explore the world of cloud computing, the increased risk to the privacy and security of data, and how such risks can be addressed through the contracting process with providers of cloud computing services.

What Is Cloud Computing?

The National Institute of Standards and Technology defines cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or vendor interaction.”1 The general concept is that any computer connected to the “cloud” may be connected to a pool of computer servers, applications, storage, and files to facilitate sharing of resources and costs among many users.2

Cloud computing has been around for more than 30 years in various forms of data center shared services but has become popular due to the growing need for a scalable, cost-efficient model. Cloud computing has shifted processing and other resources from the user's computer to a remote location. This shared services model can range from hosting, software as a service, outsourcing of technology, to virtualization of the computer environment. As a result, businesses benefit from cost savings and take advantage of technologies that were otherwise unavailable due to their cost and complexity.

There are two basic structures of a cloud—a private cloud and a public cloud.3 The private cloud refers to a localized data architecture of servers and storage area network (SAN) hardware where the company's IT department maintains managerial control over the cloud and, accordingly, the security of the data processed and stored in the cloud. In a public cloud, the servers and SAN hardware are managed by a third-party vendor, but the company's IT department continues to manage the user's software applications. In a public cloud, users access resources on a self-service basis over the Internet via Web applications that are hosted off-site by the vendor. Since security is jointly managed by the IT department and the vendor, businesses should carefully consider the security risks of handing information to a third party in a public cloud.

Privacy and Security Risk

Any organization that desires to employ cloud computing should balance the potential cost savings against the increased risk to the privacy and security of the organization's data, which can often be its most valuable asset.

Some of the challenges to operating in the cloud include: (i) interfaces to the network are publicly available and vulnerable to hacking; (ii) sensitive information of different organizations is often stored on common servers; (iii) multiple parties in different locations may provide cloud services and have access to the data; and (iv) rules for data protection and data breaches may be inconsistent across geographic regions, which makes compliance difficult.4

The following impacts on security compliance should also be considered: (i) encryption becomes more necessary with cloud computing; (ii) identity management becomes more complicated; (iii) vulnerability testing and penetration testing may no longer be practical; (iv) destruction of all copies of data may be difficult to verify; and (v) security controls, incident management procedures and business continuity plans must be synchronized between the organization and the vendor.

Data breaches are increasing; the Privacy Rights Clearinghouse has reported data breaches of more than 500 million records since 2005.5 Hackers are particularly motivated to penetrate the cloud because data from thousands of companies can be stored on large cloud servers, meaning hackers have more to gain through one single attack.6 In a survey report released June 6, 2011, 43 percent of companies with 500 or more employees experienced security lapses in their cloud computing use over the last 12 months.7 The 1,200 respondents surveyed were purchase decision makers or key influencers for cloud computing services, server virtualization and/or virtual desktop infrastructure. Forty percent of the respondents indicated that their IT security requirements were not being met by their current cloud providers/offerings. In addition, half of the respondents indicated that the concern over cloud data security is a “key reason holding back our adoption of cloud technologies,” and 85 percent said they encrypt all data sent to the cloud.

Regulation and Enforcement

The U.S. Federal Trade Commission (FTC) has broad authority under Section 5 of the Federal Trade Commission Act (the Act) to bring actions against companies that engage in unfair or deceptive information practices.8 Pursuant to Section 5, Christopher Soghoian filed a complaint (the Complaint) with the FTC on May 11, 2011 against Dropbox, Inc., a San Francisco-based provider of “cloud” backup, sync and file sharing services, alleging that Dropbox made deceptive statements to consumers regarding the extent to which it protects and encrypts data, which rose to the level of a deceptive trade practice subject to review by the FTC.9 For example, Dropbox indicated to Web site visitors “Your files are always safe” and told consumers elsewhere on its Web site that “Your files are actually safer while stored in your Dropbox than on your computer in some cases. We use the same secure methods as banks and the military to send and store your data.” The Complaint alleged that these statements were false and misleading to consumers.

In the Complaint, Mr. Soghoian explained that Dropbox did not utilize best practices with respect to storage and management of encryption keys. Instead of encrypting user data with a key known only to each user, Dropbox allowed its employees access to the keys used to decrypt data and did not inform consumers about this practice. Since competitors of Dropbox did encrypt data with keys known only to the users, which increased the operating costs of those companies, Dropbox received an unfair competitive advantage. Further, if Dropbox had disclosed its practices, consumers might have opted to protect their data using one of the competing cloud vendors. As such, the Complaint urged the FTC to enjoin Dropbox's deceptive practices, notify the 25 million existing customers by e-mail of its encryption processes and offer refunds to anyone who felt they were misled.

In addition to the FTC, state and federal legislation regarding data breaches impose substantial criminal and civil penalties. For example, the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) can impose civil monetary penalties in the event of a security breach of $100-$50,000 per violation (annual aggregate of $1.5 million), and criminal penalties including imprisonment up to 10 years.10 State attorneys general have the authority to bring civil actions on behalf of residents of the state, and some states allow private rights of action.

Companies that offer cloud computing services often make broad claims in marketing materials regarding the safety and security of data stored on their servers. Given the scope of the FTC's Section 5 powers as evidenced by the Dropbox Complaint and other enforcement regimes, it would be prudent for these companies to review such materials and conform their statements to clearly and accurately reflect their security practices.

Cost of a Security Breach

Businesses must be mindful of the increased risk and cost of security breaches. According to the annual U.S. Cost of Data Breach Study (the Breach Study) published by the Ponemon Institute, an organization that conducts independent research on consumer trust, privacy, data protection, and emerging data security technologies, the average total per-incident costs for a data breach incident were $6.75 million in 2009 and are steadily increasing.11 The cost calculation took into consideration outlays for detection, escalation, notification and response, as well as legal and investigative expenses, customer defections, opportunity loss, reputation management, and costs associated with information hotlines and credit monitoring subscriptions. Cloud computing requires a heavy dependency on third parties, and it is these third parties who cause 34 percent of the data breaches.12

In addition to the cost of a breach response, mitigation, and remediation of the security incident, reputational harm to the customer can be significant. The risk of entrusting core data assets to a third party outside of a customer's control can be reduced by de-identifying data, mandating a security assessment of the third party and establishing security and data protection policies for the third party to follow. Insurance specifically covering privacy and security losses should be obtained by the customer and cloud computing vendor.

Addressing Risks Through Contract

In light of the extremely high costs associated with a breach of security, and the increased risk of breach in a cloud computing environment, businesses need to take contractual steps to allocate a portion of the risk to the cloud computing services provider. A customer must understand what exactly is being provided by the cloud computing vendor. The scope of the cloud computing services will impact the respective responsibilities of the vendor and the customer. This contractual clarity is especially important given that most cloud computing vendors believe security of data is the customer's responsibility, not theirs. The Ponemon Institute notes that less than 10 percent of such vendors' operational resources are allocated to security and most vendors do not have confidence that they are meeting customer's security requirements.13 The contracting department should work closely with the IT department to identify the company's specific requirements and incorporate appropriate provisions to ensure the company's needs are met.14

A customer should consider incorporating the following key concepts in its contract with the cloud computing vendor:15

  • Scope of Information Protected. Customers should require security for all data accessed by the vendor, not just personally identifiable information (data which uniquely identify individuals subject to special confidentiality regulations).
  • Definition of Security. “Security” should include the vendor's technological, physical, administrative, and procedural safeguards (e.g., policies, procedures, standards, and tools) intended to (i) protect the confidentiality, integrity, or accessibility of information, (ii) prevent unauthorized use of or access to vendor systems; (iii) prevent a breach or malicious code infection of customer systems; and (iv) be consistent with all applicable privacy and data security laws and regulations and relevant industry standards.
  • Restrictions on Use and Disclosure. A vendor should be permitted to use any customer data solely and as minimally necessary to perform its obligations under the agreement. The vendor also must be prohibited from providing access to the data to any third party without first obtaining the customer's prior written consent. If such consent is given, the vendor should be required to contractually bind such third party to obligations that are at least as protective of a customer's data as the ones in the agreement between the customer and the vendor.
  • Audit Rights. The customer should have the right to audit the vendor's security and compliance with applicable privacy and data security laws annually or more often in the event of any actual or suspected security breach or failure of the vendor to comply with the law. The audit should comply with the American Institute of Certified Public Accountants (AICPA) standards. The guidance for reporting on vendor organizations controls is now SSAE 16, replacing SAS 70.16
  • Security Breach. The contract should specifically define “security breach,” which should include any actual or reasonably suspected unauthorized use of or access to a customer's data in a vendor's system. In addition, the customer should include breach notification, mitigation, and remediation procedures and specify who will pay for them.
  • Access to Information; Return and Disposal. The vendor must follow a customer's policies to preserve information and provide the customer with access to the information as may be necessary to comply with discovery in litigation and government investigations. In addition, the contract should contain a process for return and/or secure disposal of the information upon termination or customer request.

Beyond the above matters related to the data and technology, customers should be sure to include the following risk mitigation provisions in any agreement with cloud-computing vendors:

  • Indemnification. The vendor should indemnify, defend, and hold the customer harmless against any and all losses resulting from any security breach, including all fees and expenses incurred by the customer, litigation, fines, and penalties paid to third parties, and all expenses associated with responding to the breach (e.g., costs of: notification of customers, employees and government agencies; investigation, mitigation and remediation of the breach, such as providing credit monitoring services to affected individuals).
  • Insurance. The vendor also should be required to maintain certain minimum levels and types of insurance coverage throughout the term of the contract.
  • Limitations of Liability. The cost of a security breach could far exceed the amounts being paid by the customer to the vendor. Customers should resist agreeing to any cap on liability for a security breach, or they should mandate a high monetary cap in light of the risk involved.
  • Compliance. Cloud computing affects the customer's ability to comply with numerous privacy and information security laws including: (i) the Sarbanes-Oxley Act of 2002; (ii) the Health Information Portability and Accountability Act; (iii) the HITECH Act; (iv) the Gramm-Leach-Bliley Act; (v) the Fair Credit Reporting Act; and (vi) the EU Data Protection Directive and similar global legislation. Additionally, cloud computing can impact compliance with the Payment Card Industry Data Security Standard.17 The vendor should be responsible for compliance with all laws pertaining to the business of the vendor or the performance of the services contemplated by the agreement.18 Since much of the regulatory landscape is evolving, the parties should agree to comply with any applicable future legislation on privacy and security.

Conclusion

Despite the convenience and cost savings associated with cloud computing, operating in the cloud may mean that the company is giving up control over its data to a third-party vendor, which drastically increases the risk to the privacy and security of the organization's data. Cloud computing customers are urged to make sure that their agreements with cloud computing vendors are clear as to the expectations and needs of the customer, along with the steps such vendors will take to safeguard companies' data, and include appropriate risk mitigation/shifting provisions.

Endnotes

1 Attorneys Advised to Learn Tech Basics Before Advising on Cloud Service Contracts, Privacy & Sec. L. Rep. (BNA) No. 10, at 637 (Apr. 25, 2011) [hereinafter Attorneys Advised] (10 PVLR 637, 4/25/11).

2 Wikipedia, Cloud Computing, http://en.wikipedia.org/wiki/Cloud_computing (last visited Aug. 29, 2011).

3 See Attorneys Advised, supra note 1.

4 Information and Security, A Practical Guide for Global Executives, Lawyers and Technologists 279-83 (Thomas J. Shaw ed., 2011) [hereinafter Information and Security].

5 See Privacy Rights Clearinghouse, 500 Million Sensitive Records Breached Since 2005, (Aug. 26, 2010), http://www.privacyrights.org/500-million-records-breached.

6 Firms Wary of Moving to Cloud, L.A. Times, June 17, 2011.

7 TrendMicro, Cloud Security Survey Global Executive Summary (June 5, 2011), http://us.trendmicro.com/imperia/md/content/us/trendwatch/cloud/global_cloud_survey_exec_summary_final.pdf.

8 Fed. Trade Comm'n, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (Dec. 2010), http://www.ftc.gov/os/2010/12/101201privacyreport.pdf.

9 Request for Investigation and Complaint for Injunctive Relief, In re Dropbox, Inc. (FTC May 11, 2011) (10 PVLR 778, 5/23/11).

10 45 C.F.R. § 160.400, et seq.

11 Ponemon Institute, Ponemon Study Shows the Cost of Data Breach Continues to Increase, http://www.ponemon.org/news-2/23 [unable to connect as of Sept. 9].

12 Ponemon Institute, Benchmark Study on Patient Privacy and Security (9 PVLR 1608, 11/22/10).

13 Ponemon Institute, Security of Cloud Computing Providers Study (April 2011).

14 See Attorneys Advised, supra note 1.

15 See Information and Security, supra note 4.

16 See Amer. Inst. of CPAs, Service Organization Control Reports, http://www.aicpa.org/soc (last visited Sept. 7, 2011).

17 See Information and Security, supra note 4.

18 See Attorneys Advised, supra note 1.

Sharon R. Klein and Tabitha Rainey Sullivan

The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.

Data protection laws have changed, so we have revised our Privacy Policy.

CLOSE