The Risks and Benefits of Cloud Computing
The following is an interview with Joseph Corrigan, Partner at Posternak Blankstein & Lund in Boston on the benefits and risks of using cloud computing in your business.
How do you use cloud computing in your business, and what are the advantages of using it?
We are currently using a cloud service provider to back-up our data periodically throughout the day and for our disaster recovery needs. The advantage of cloud computing for this service is that backing up data used to be a time consuming and expensive process, where tapes were utilized to back up data on a daily basis, and it was expensive to maintain the equipment necessary restore the data contained on the back-up tapes. If a company didn’t have the equipment to restore their back-ups, this equipment needed to be purchased in the event of a disaster and then the restore often took a day or two and sometimes longer to perform. With the cloud back-up, we can automatically back-up our data daily to our disaster recovery service provider’s servers, and have the ability to restore the data cheaply, efficiently and even test the restored data in a lab type (or staging) environment to ensure that the restore is successful before users are given access to it.
What businesses are best suited to storing information on the cloud?
Any business that utilizes data and back-ups on a daily basis and is looking to reduce the overall cost and time it takes to restore data to users should consider utilizing the cloud for their data back up and disaster recovery needs. Businesses that were affected by the large transformer failure in the Back Bay area of Boston in March 2012 and did not have access to a disaster recovery service capable of restoring data quickly, learned the hard way the benefits of the cloud. Restoring from back-up tapes may have meant that you might not have access to your email or document management systems for several days, which had an obvious impact on businesses. Some businesses may even have realized that data stored on back-up tapes was compromised or altogether lost which is another factor with backing up data on a portable medium; it is at risk of being compromised through the handling of the tape or due to the environment in which it is exposed during transport or storage.
What information should companies avoid putting on the cloud?
Businesses which have access to or utilize healthcare type information protected by HIPAA are required to take security measures to ensure the confidentiality and integrity of such information. Companies which have access to an individual’s “personal information” or “personally identifiable information” which can include, for example, names, driver’s license or state ID numbers, social security numbers, email addresses, credit card information are required under federal law such as the Gramm-Leach-Bliley Act (“GLBA”) and several state privacy laws to take measures to protect this information by using security measures such as encryption, firewalls, password protection and limiting access to data. In the unfortunate event that a company which stores personally identifiable information has such personal data accessed and acquired in an unauthorized manner (e.g., a cyber-attack), it is required to make a timely disclosure to those individuals whose data was improperly accessed and acquired, also referred to as a breach notification. Failure to make such timely disclosures depending on the particularly state law, may result in a private right of action and potential for recovery of actual damages and attorneys’ fees, or could result in an action being brought by the state attorney general and the imposition of civil penalties, which in some instances can be substantial.
Besides purchasing insurance, what legal measures can businesses take to prepare for crises such as data loss or cyber-attacks?
Any business that utilizes data and wishes to take advantage of cloud computing should make themselves familiar with any federal or state laws that may apply to their business and, in particular, that may apply to the type of information the business regularly handles. This step is critical as it relates to the storage of and access to potentially sensitive data. Depending on the type of information a business handles, there may be a very real need to safeguard information protected by federal regulations such as HIPAA or the GLBA, including healthcare and personally identifiable information. Moreover, where your cloud data is being stored by your service provider may well subject you and your service provider to certain regulatory requirements in the state in which the data is being stored. In addition, if your data is being hosted internationally, a business should determine what international compliance obligations may exist. These issues can be complex and in this regard it is worthwhile to consult with your legal counsel and IT resources to ensure that your company is in compliance.
As part of ensuring that your business is in compliance with the law, any business utilizing the cloud should negotiate the terms of a service contract with a cloud computing service provider that meets its business continuity needs, such as ensuring that protections are utilized including, for example, encryption, firewall and password protection technologies, as well as adequate security and safeguards for the storage of a company’s data. Finally, a business would be well advised to implement a data back-up and disaster recovery solution that meets its business needs and engage a cloud service provider for this purpose. The terms of any such service contract should be negotiated in a manner to ensure that security and compliance needs of the business are met and account for the type of data and information the business regularly utilizes such that if an unauthorized access or acquisition of information protected by law occurs, appropriate and timely disclosures can be made by the business and/or its cloud service provider.
Given that so many businesses and individuals already store their information on the cloud, how can it be regulated? Are there laws prohibiting certain types of information from being stored in the cloud?
As set forth above the federal and state governments are already implementing regulations and laws which control the safeguarding of sensitive information which can include personally identifiable information, healthcare or financial related information. Businesses which handle such information are well-advised to familiarize themselves with federal and state laws relating to the safeguarding of such information (including which state and federal laws apply to the business and its data) and take steps to ensure that their cloud computing solution helps the business satisfy its legal compliance obligations.
To date, I am aware of no law which altogether prohibits certain types of information from being placed in the cloud however, as discussed above, depending on the type of information, businesses must ensure that certain sensitive information is properly protected.