[BreachExchange] Migrating company data to the cloud? Consider these legal issues

[Audrey McNeil]

http://www.idahostatesman.com/news/business/business-
insider/article135338609.html

Industry surveys suggest that nearly four in five companies plan to
increase spending on software as a service, or SaaS, with cloud-based
services expected to account for over 20 percent of software expenditures
by 2019. Along with increased use of SaaS comes an increased sharing of
personal, confidential or commercially sensitive information between
customers and providers.

Some concerns identified by security executives around cloud-based services
include a lack of visibility into who is accessing data, a lack of
confidence in security capabilities, an unclear liability in case of a
cyberattack or loss of data, the potential for access by competitors, and
an increased risk given the potentially huge payoffs to malicious actors.

To address such concerns, companies seeking to transition to cloud-based
services should start by considering the following steps.

Identify and assess risks. Risk should be categorized as high, medium or
low based on the nature and sensitivity of data to be put in the cloud.
Other considerations include whether the data is subject to confidentiality
obligations by law or contract, the nature of the SaaS application (is it
mission critical?) and reputational and financial exposure should a data
breach occur.

Conduct vendor due diligence. The level of vendor due diligence will depend
on the risk categorization. Appropriate due diligence may include
evaluations of the vendor’s security measures, personnel, financial
stability, length of time in business, customer referrals and similar
factors.

Negotiate data-security provisions. Provider form contracts tend to be
written by and in favor of the provider, and, unsurprisingly, routinely
seek to disclaim or limit responsibility and liability for data breaches.
The customer should seek to appropriately include provisions relating to
confidentiality protections for customer data and ownership of customer
data, as well as data integrity and security measures that spell out the
obligations of the parties.

Negotiate data-breach provisions. Data breaches are costly, not to mention
embarrassing. Additionally, the customer cannot delegate the obligation to
comply with privacy and data security laws to the provider. As a customer,
you should seek to include appropriate indemnities and redress from the
provider in the event of a data breach, including provisions requiring the
provider to insure against data losses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170301/7626ee5e/attachment.html>