Posted in: Regulations & Compliance, Security, Special Report
Many businesses are turning to cloud computing for an affordable and scalable solution. Others are giving it serious consideration. But what are the legal dangers of keeping all that information in the cloud?
In essence, cloud computing allows users to connect to applicants, data and other resources that are stored “in the cloud” (that is, on the Internet) instead of on local, in-house servers.
The concept is catching on with cash-strapped IT departments that want a computing solution that’s infinitely scalable and where the problems of backup, protection and accessibility are hired out to experts. The downside, of course, is that the company’s data exists “somewhere out there,” rather than in-house.
That creates some tough legal questions. For example:
1. How does the cloud affect your e-discovery responsibilities?
E-discovery obligations cover any data under the company’s control. Whether or not that includes data in the cloud depends on the service agreement, says Nolan Goldberg writing for Computerworld. In most cases, the company retains control of the data and is therefore subject to the same e-discovery responsibilities as with other types of storage.
When selecting a provider, Goldberg recommends choosing a cloud service that can handle your company’s existing document retention practices.
2. Will using a cloud service violate privacy laws?
If any information stored in the cloud is improperly accessed, the company will be on the legal hook, not the service provider. For example, if healthcare info about employees is hacked, the company may be hit for a violation of the Health Insurance Portability and Accountability Act (HIPAA).
With more state and federal laws appearing that hold companies responsible for the theft of customers and employees’ personal data, it’s important to look closely at a cloud vendor’s security practices. Or, decide to keep some information in-house.
3. What happens if the vendor goes out of business?
Companies also need to consider what will happen to their data if a service provider declares bankruptcy or goes out of business. Service agreements should require that all data is backed up somewhere and that the vendor is contractually obligated to return it, says tech consultant R. Jason Straight.
The above are issues that have to be scoped out, green-lighted and built into contracts. Cloud computing is a more serious process than outsourcing, say, payroll or travel arrangements. It may make sense for your company, but it cannot be a casual move. Stored data is a critical asset for all company, and any loss or illegal access could be a disaster for your company. Make sure that a variety of voices (legal, technical, management, financial) get into the decision and the planning.