In Part 1 of this blog post, we discussed some key contractual provisions that lawyers should consider when entering into agreements with cloud service providers (“CSPs”). In this Part 2, we discuss some additional contractual considerations to keep in mind, as well as some post-contract practices to consider in order to better protect data in the cloud.
As we discussed in Part 1, CSP agreements may contain standard vendor-friendly provisions, such as termination rights and anti-assignment language. Equally important are the terms and conditions governing the rights of each party in the event that the CSP experiences a cyber-event:
- Breach response and remediation. Closely examine whether a contract requires the CSP to provide notice to its users, or its users’ customers, in the event of a breach, and if so, whether the notice period is sufficiently short from both a business and a legal perspective. Additionally, consider whether a CSP is required to take any remediation steps following a breach, including whether it is obligated to cooperate with its affected users in both evaluating the extent and cause of the breach and mitigating the consequences.
- Recourse following a breach. If a breach or loss of data does occur, a user’s ability to hold a CSP liable is often limited. For example, the user usually cannot hold the CSP liable for breaches resulting from misconfigured security settings, unauthorized access through connected devices, or misused credentials. Even if the CSP is breached directly, CSP agreements often limit the CSP’s total liability to the user to the amount paid for the CSP’s services under the agreement. Consequential, indirect, and other special forms of damages are often expressly excluded as well. As a result, a company may have limited recourse against a CSP following a breach if, for instance, a company needs additional information about the breach or access to the relevant systems, and the CSP elects not to cooperate and is not contractually obligated to do so. Consideration should be given to having the cooperation obligations excluded from the limitation of liabilities clauses or mitigating the risk of a vendor breach through cyber insurance.
If a company handles a sensitive category of personal data, such as health information or financial records, regulators may be concerned about cloud arrangements in general and require notice of any cloud storage arrangement. For example, the United States Department of Health and Human Services offered guidance on HIPAA-covered entities seeking to use cloud services. In Europe, the European Banking Authority requires adequate notice about cloud outsourcing arrangements for regulated banks. Companies subject to specific regulations based on the type of data they deal with should be mindful of any such regulations that may apply to their use of CSP services.
Practices for Ongoing Operations
After contracting, users of cloud services should take steps to confirm that adequate monitoring and compliance protocol are in place and that the CSP’s security is up to the task of protecting against breaches and complying with various cybersecurity regulations. As discussed in Part 1, companies should request copies of recent data security audit reports and penetration test results prior to contracting with a CSP. During the life of the contract, periodic auditing and penetration testing of the CSP are among the most effective ways to ensure that a CSP’s cybersecurity remains sufficiently robust.
Auditing, in the context of cloud services, can include an evaluation of security at physical sites, of cybersecurity response plans, and of the cybersecurity capabilities of human users. Keep in mind that CSPs may be more comfortable with bringing in a single outside auditor and providing the results of those tests to all of their customers (indeed, they may have already arranged such an audit and be willing to provide those results on a highly confidential basis), rather than running specific tests tailored for each individual customer’s unique concerns. A review of the results of any such audits is important in order to ensure that appropriate security evaluations were included as part of the review.
Penetration testing involves controlled attacks against the CSP’s infrastructure. As part of best practices, a CSP should be obligated to remediate any high or critical issues identified by a test. Although regular penetration testing may be required to meet standards set by regulations like HIPAA, complications can arise if a company’s cloud servers contain data from multiple clients without segmentation. In such a case, a CSP may resist allowing an individual client to conduct a penetration test for fear of such a test exposing data of the CSP’s other clients. In these situations, requiring the CSP to conduct its own third-party penetration tests, remediating any identified weaknesses, and sharing results of the same with clients may be the most practical option.
Before migrating data to the cloud, careful consideration should be given to the various legal risks associated with the use of cloud storage, including contractual and regulatory risks. Given the growing importance of data security, lawyers should carefully review any agreements with CSPs to ensure the inclusion of adequate security guarantees. In the event of a breach, it is important to understand the CSP’s obligations to both the user and the user’s customers, as well as any limitations on the CSP’s liability arising out of the breach. Finally, regular security audits and penetration testing should be part of any cloud arrangement.