Even if your company is not storing data in the cloud, it may still be at risk for having some company information pushed into it inadvertently.

And even companies that think they have done their homework and chosen a cloud service provider with strong security measures in place may be surprised to know that some providers contract with other cloud providers to store their customers’ information.

That’s according to a presentation by John Howie, chief operations officer of the Cloud Security Alliance, at the Cloud Leadership Forum held in June 2012. He also outlined the legal issues to watch out for, particularly liability under data breach laws and how they apply to a cloud services arrangement.

In some cases, a cloud service provider may subcontract out the storage of data, and the subcontractor may in turn sub-subcontract out the work. Other CSPs may offer packages of cloud software services that seem to be part of one application, but are actually made up of several third-party providers that perform different services within one application. The more subcontractors or third parties that are involved, the more legal risk a company will be subject to since it will be difficult to ascertain the physical location of the data and how protected the company’s data is at any given time.

According to a paper by Fonss & Estigarribia LLP, a San Diego-based law firm, any cloud service agreement that the company enters into should address the following:

  • Who will be physically storing your company’s data,
  • Whether the CSP or third-party subcontractors will be allowed to contract out the storage of your company’s data,
  • Whether your company will be notified when the CSP switches subcontractors, and
  • The data security the CSP has in place, and whether the same measures apply to any subcontractors.

And don’t be tempted to save money and use free cloud storage services, as they typically don’t have the same level of security in place as business-to-business cloud storage providers, Howie said.

Furthermore, even if your company isn’t using cloud storage, your employees may be doing so. Howie said that employees often subscribe to mostly free cloud services on their own. He cited the example of a worker who couldn’t upload a file that was too large using his smart phone, so he uploaded it to DropBox, an Internet-based file-sharing service that he personally subscribed to.

Howie said consumer-oriented cloud file-sharing or storing services such as DropBox, Google Drive or Microsoft SkyDrive are free because they index the user data to glean information from it on what ads to deliver to the client. The data in the files uploaded to these sites is indexed not by a human, but a computer, so it’s not like someone will be rifling through your data.

But, as an organization, you should not take that risk, he said.

In short, find paid file-sharing services that are better designed for enterprise users and their important security needs.

As the information age blossoms, the federal and state governments have been struggling to keep up by creating new laws to regulate data security. The laws and regulations set standards for data security and imposing penalties for companies that fail to keep their employee and customer data secure.

The regulations your company has to comply with depend on where the CSP’s data centers are located, as well as on where your company’s data centers are situated, Howie said.

Which laws apply should be determined by counsel that specializes in electronic records security and privacy compliance, and not by the service provider – don’t take their word for it.

State and federal laws relating to privacy also include provisions for the steps an organization must take in case of a security breach that affects personal or sensitive information. But if you don’t have control over your data, you may never know that a breach has occurred.

As part of your agreement, you should require the provider to notify your company of any security breaches. The contract should specifically define the term “security breach” in great detail so there is no confusion, Fonss & Estigarribia recommends.

In addition, the agreement should address what investigative and mitigation measures the provider must take in the even of a security breach occurring, as well as whether your company will have the ability to conduct its own investigation. You want it spelled out that your company would have access to all relevant information surrounding a breach, and would have control over how the breach is dealt with.

This is one of the weak points of the cloud: the loss of transparency to monitor, investigate and mitigate security breaches.

In addition, it is important that the agreement identify who will be held liable for any security breaches that occur.

“The company should take note of any limitations on liability provisions in the agreement,” writes Fonss & Estigarribia in its paper. “Perhaps one of the most important provisions that the company should make sure to include in the agreement is a provision indemnifying the company for all costs associated with a security breach, including the costs the company may incur in investigation, litigation and any fines and penalties.”

The takeaway
If you are planning to enter the cloud, or if your data is already aloft, just remember this: as a cloud service customer you cede control over security of the computing environment even if the provider has firewalls, hacking prevention systems and anti-malware protections in place.

While storing data in the cloud is beneficial and cost effective, transferring data to the cloud may be fraught with unintended state, federal and international legal consequences.