With the growing trend in cloud computing, chances are you use “the cloud” in at least some aspect of your business. “Cloud computing” refers to remotely accessing services or information from third party data centers. It essentially stores your data on a distant server, allowing you to access it from any location, assuming a device with internet capabilities is available. By outsourcing data storage needs, companies can achieve greater efficiency and cost-savings. However, these benefits are not without risks.
A host of issues can arise when third parties have control over your data, especially when a lack of certainty exists regarding the location of data storage facilities and the ways in which that data is protected. Among the factors contributing to risks:
- vulnerability to hackers and data breaches, resulting in lost, destroyed or improperly disseminated data;
- storing various parties’ data on common servers; and
- varying laws governing privacy and data protection across different jurisdictions and geographic locations.
Cloud computing risks can all lead to business disruptions, privacy law violations and disclosure of confidential information, which can mean significant financial consequences for both the cloud provider and you, the customer.
You might think that since you transferred your data to the third party, you also transferred financial liabilities for data loss or other business interruption–it is up to the third party to protect your data, and it should be liable for any losses resulting from data breaches. But this is rarely the default position.
Allocating Risk: Read the Contract
Most cloud service providers contractually place the responsibility of security on their customers. However, companies are becoming increasingly aware that their service contracts with cloud vendors leave them little recourse in the event of a problem. It is crucial to read the fine print and negotiate with your vendor to define its responsibilities and liabilities for damaged, lost or stolen data. The negotiation could be difficult, as the potential liability is usually much greater than the value of the contract–some vendors take a hard line and say their contracts are non-negotiable; others are open to discussion and might take on a portion of the liability.
Since it is unlikely you’ll be fully protected by the cloud providers’ service agreement, considering an insurance policy to limit risk is worthwhile. While some observers say that cloud computing is generally covered under a business’s existing cyber risk policy, it is important to pay close attention to specific terms in the policy. For example, “computer system” or “computer network” can be defined terms in a policy and you should ensure that these cover cloud computing. In the end, the key is to square up your insurance policy with gaps in your cloud service contract.
As individuals and businesses increasingly become dependent on cloud technology for daily needs, learning about the associated risks and ways to protect yourself are also important. Since this is a developing technology, the law governing it is new and disjointed: different jurisdictions have different requirements and standards. Staying informed will help protect you and your business from potentially significant financial losses due to mishaps in the cloud.