Cloud computing service arrangements frequently require organizations to share employee or customer personal information and other confidential data with service providers. In some cases, organizations must also grant vendors access to their current IT systems for transition or other purposes. Engaging third parties to perform services that involve handling personal information or accessing an organization’s IT systems changes an organization’s data security risk profile.
With counsels’ advice, organizations should weigh any decision to use cloud computing services against potential privacy and data security risks. Organizations and their service providers are subject to an increasingly complex patchwork of federal, state and local laws; regulations; and industry standards that govern privacy and data security. Service providers may have more cybersecurity expertise and technical resources than individual customer organizations. However, managing risks is crucial because vendor deficiencies can render an organization’s privacy and information security programs ineffective. Data breach reports and claims frequently point to service provider compliance issues as a basis for organizational liability. These events serve as reminders that organizations cannot outsource their accountability.
Effective vendor management processes include three key steps to minimize privacy and data security risks: performing pre-engagement due diligence, drafting and negotiating standard contract terms, and engaging in regular service provider oversight and contract enforcement.
Organizations should negotiate privacy and data security terms at the same time as pricing and other business terms. Service providers often seek to use their own privacy and data security terms and conditions. These vendor-friendly contract provisions may not fully meet the organization’s specific requirements. However, even if business circumstances dictate using a vendor’s agreement, by developing its own standard terms, an organization can better assess and manage the risks of using a particular vendor-supplied agreement.
There are 10 best practices that attorneys drafting and negotiating cloud computing agreements should keep in mind to help them to minimize privacy and data security risks while still gaining the operational benefits of outsourcing that their client organizations desire.
1. Specifically require service providers to comply with all applicable privacy and data security laws, regulations, and industry standards.
2. Define a minimum standard of care for privacy and data security, which may exceed or be more prescriptive than applicable laws and industry standards to meet the organization’s particular needs, and require service providers to meet it, unless the customer organization specifically authorizes an exception.
3. Allow service providers to access the customer organization’s IT systems and use its data only as required to perform the agreed-on services, unless the organization specifically grants authorization, for example, allowing the vendor to use its data for research or development purposes.
4. Prohibit service providers from disclosing the customer organization’s data to third parties except as specifically authorized by the organization, such as to subcontractors or the vendor’s legal counsel or other advisors. Disclosure prohibitions should also address how the service provider will handle any data requests from government authorities.
5. Require service providers to impose the same privacy and data security obligations on their subcontractors or other service providers and engage in the management and oversight necessary to ensure compliance by these third parties.
6. Include privacy and data security performance expectations and measures in any overall service level agreements (SLAs) negotiated for the services. SLAs are often used to define performance levels that vendors must achieve for IT-related services, assign incentives, and impose penalties. Addressing privacy and data security in overall SLAs increases vendor focus on and attention to these issues. Common performance expectations and measures include reporting for privacy and data security related activities and timeframes for addressing identified risks and reporting security incidents.
7. Require service providers to return or destroy, at the customer organization’s request, all copies of the organization’s data on termination of the agreement.
8. Define specific security incident reporting and response requirements, including timeframes, cost allocation, and responsibilities for handling data breaches and any ensuing liabilities.
9. Provide the customer organization with rights to audit or otherwise regularly assess and review the service provider’s privacy and data security practices. Contract provisions should balance flexibility with commitments to support common assessment methods, such as direct audits performed by the organization or its contractors, vendor self-assessments, and independent third-party audits, assessments, or certifications. Service providers may be more willing to accept an approach that combines standard third-party audits or certifications with self-assessments that focus on the organization’s specific requirements.