This article is a part of the SearchCloudSecurity.com mini learning guide series, Cloud computing legal issues: Developing cloud computing contracts.
SAN FRANCISCO -- A panel of lawyers at RSA Conference 2011 Tuesday told attendees to be careful when negotiating with cloud computing service providers, but also offered a reality check on the odds of service providers agreeing to an array of provisions in cloud computing contracts for data security.
Organizations shouldn't be clicking through a service provider contract online without negotiating it, said Scott Blackmer, a founding partner of the InfoLawGroup LLP. Cloud services need to be subjected to careful due diligence and governance systems; if they're not, "it's likely going to haunt you," he said.
"Legal and compliance risks can't be shifted to the cloud vendor," said Thomas Jackson, a partner and chair of the technology practice group at New York-based Phillips Nizer LLP. The ultimate responsibility remains with the enterprise that's contracting for the cloud services, he said.
The provisioning of cloud services is becoming a competitive environment, which gives organizations a basis for negotiating key contract provisions, Jackson said. He listed several critical provisions for cloud computing contracts, including:
- Identify protected customer information that the service provider processes and stores.
- Identify specific security procedures to which the provider must adhere.
- Make clear that the customer is owner of the data.
- Require transparency with regard to data location.
- Provide means of verifying and monitoring data integrity.
- Provider must be required to undergo independent security audits.
- Include a process for timely breach notification.
- Include a means for contract termination and secure disposition of data.
- Restrict limited liability on part of service provider; Jackson said providers should be responsible to make the customer "whole" if it's responsible for a breach or loss of availability.
While Jackson argued that organizations have more ability to negotiate cloud computing contracts, Tanya Forsheit, a founding partner at the InfoLawGroup, countered that "the reality is very different with respect to cloud service agreements."
Organizations won’t be able to get most of the provisions, Forsheit said, unless they're a massive, multinational organization or government agency. Service providers won't disclose where they keep data, and many of them push back on provisions that they make customers whole after a breach they caused, Forsheit added.
Blackmer also said organizations won't get all the contract provisions Jackson outlined. "But the more sensitive the data is, the more important it is to get as many [provisions] as you can," he added.