It seems like you can’t go a day without reading a headline regarding yet another high-profile mass data and security breach. Security and data breaches are a concern for corporations, universities, individual consumers, and even the US government. Some recent examples making headlines include Chipotle, Kmart, Zomato, as well as OneLogin, and if you are not aware, there are concerns over Russia’s military intelligence executing a cyberattack on at least one U.S. voting software supplier.
There is no question the risk of security and data breaches must be considered an extremely serious matter and remain top of mind at the executive and board levels within all organizations.
Much of the stories pertaining to security and data breaches have been tied to information accessed within cloud solutions or hosted websites. Given the current trend to adopt cloud solutions, it has become even more critical for organizations to ensure their cloud agreements effectively address security and data breaches. The good news is, if done correctly and with the proper level of insight, there are ways to mitigate the risks associated with such breaches.
It is critical for organizations to allocate the proper amount of time and resources in the cloud selection and negotiation process to proactively alleviate any potential risk exposure. This will allow cloud selection teams to properly discuss and address suitable security measures and assurances as part of their requirements and a prerequisite for a vendor to be chosen.
3 key areas to effectively address security and data breaches
1. Security Measures and Protections
All organizations evaluating a cloud solution must fully understand the security measures and protections of the particular cloud vendors being evaluated. At the outset, it is important to get the cloud vendors confirmation that their security policies and procedures adhere to necessary certifications (SAS 70, PCI Security). If your organization has specific security requirements, it is important to communicate these upfront with the cloud vendors under consideration, and clearly identify them as a key component in your decision-making process.
It is important to mention that many cloud vendors will resist such requests, stating that in order to keep costs competitive they need to standardize on security policies in a one-size-fits-all approach that applies to all customers. Therefore, the cloud vendor will claim they simply cannot customize the cloud solution and associated services to match unique customer security requirements. Nonetheless, we still recommend engaging in these discussions early in the evaluation process when you have the greatest leverage, as vendors may be willing and able to get creative in providing some level of flexibility that either addresses your unique security requirements or substantially mitigates your financial risk.
Other security measures to address include the physical location of your data and where the cloud solution will be hosted. For example, some organizations may have regulatory requirements restricting them to U.S. locations only. The hosting and data location may also impact governing law and jurisdiction in the event of a dispute, so we recommend obtaining the opinion of legal counsel early in the sourcing process. Additionally, it is important to have clear and documented policies and procedures that govern who may have access to your organization’s information and data.
Lastly, organizations must obtain from their cloud vendor expressly stated obligations regarding how the cloud vendor will resolve and mitigate damages should a security breach occur that may expose your organization’s confidential information and data. At a minimum, the cloud vendors should be obligated to provide notice of all security and data breaches within an agreed upon period, usually within 24 hours. The written notification should include a detailed report specifically outlining how the breach occurred, which information and data was compromised, and what is being done to remedy the current security breach and prevent future breaches. The cloud agreement should also clearly identify the amount of damages available, and if possible be excluded from any limitation of liability provision, along with an ability to terminate the agreement for cause without any early termination penalty.
2. Data Protection, Rights and Backup Obligations
It is critical that your cloud agreement expressly state that your organization shall maintain ownership of all information and data at all times, and shall have access to such information and data at all times. This may seem like an obvious provision but it is often overlooked and is often not included within the template agreement of many cloud providers. Additionally, it is important to ensure your cloud agreement provides an obligation on the part of the cloud vendor to provide a complete copy of all your information and data upon written request and in an agreed upon format acceptable to the organization. It is not uncommon for a cloud agreement to include an obligation on the part of the customer to pay a fee associated for the retrieval of such information and data, but we recommend negotiating the removal of this fee, or alternatively, clearly identifying the fee within the agreement.
The cloud agreement should also clearly identify all backup schedules and policies. For mission-critical and highly sensitive information, it is important to ensure you obtain the cloud vendor’s commitment to perform backups throughout each day. You should also have included an obligation for the cloud vendor to encrypt the data and break it into pieces so that full files cannot be easily retrieved or reassembled if they are stolen. Such encryption should be provided at no additional cost.
Upon any termination of the agreement, there should be clear procedures for the timely return or retrieval of all your information and data in a predetermined format. This should include an obligation for the cloud vendor to certify that such information and data has been permanently deleted or removed from the cloud vendor’s servers.
Lastly, all organizations should have a complete understanding for how its information and data will be used by the cloud vendor. We recommend protecting your information from being utilized for the cloud vendor’s own purposes and benefit (i.e. mailing lists, marketing campaigns, selling to other vendors, etc.) that are not reasonably related to the vendor’s ability to provide the service.
3. Data Center and Security Procedures Audit Rights
In keeping with the necessity to be proactive in ensuring your organization is doing everything it can to minimize any potential risk of data and security breach exposure, all cloud agreements should provide an organization the right to perform periodic audits of the cloud vendor’s data centers. The scope and breadth of such audit rights should cover the cloud vendor’s data security controls, processes, and procedures. The organization should have the ability through such audit rights to ensure compliance with the detailed security provisions found within the cloud agreement. An organization’s ability to exercise the right to conduct such an audit is one of the best ways to hold the cloud vendor accountable to their stated security obligations and to proactively assess any potential security vulnerabilities. It is
apparent that having the right to conduct an audit is an effective means to mitigate the risks associated with security breaches.
Unfortunately, it is highly unlikely the risk of data and security breaches are going away any time soon. The key is making sure your organization is doing everything possible to ensure your risk exposure is appropriately mitigated. By addressing the issues outlined early in the selection and negotiation process, you will be on the right path to keeping your organization from being part of a news security breach headline.