Falling Through Clouds
Legally, do you dare trust your business's data to the cloud?
Tue, August 03, 2010
Computerworld — Everyone knows the big virtues of using cloud computing services: They're cheap, you can scale them on demand, and they're fault-tolerant . Everyone also thinks they know cloud computing's vices: a variety of security and management concerns . What a lot of people have been missing, though, is that there's another real problem with cloud computing: legal liability.
You see, the default contract from Amazon Web Services and the other major public cloud providers puts the onus for any privacy trouble that might develop on you, the customer, not them. So, say that 100,000 of your best customers' records end up on WikiLeaks because your cloud provider's security is breached. Who do you think is going to be legally and financially responsible for the leak and any damages it causes? You can probably guess, but I'll tell you anyway: If you signed the standard cloud contract, you are. Never mind that it was the cloud provider's security failure; you're the one who will be stuck with the bills. Lucky you.
According to one report from SearchCloudComputing, Eli Lilly , the pharmaceutical giant, is fighting with Amazon over just these kinds of issues. Amazon's Werner Vogels denied the story's contention that Eli Lilly (LLY) had walked away from AWS. "Eli Lilly is still very much a customer and has not dropped their use of AWS," wrote Vogels. Be that as it may, not everyone is content with Amazon's contract policies. Burton Group analyst Drue Reeves said at the Burton Group's Catalyst conference , "We don't feel like there's enough transparency in Amazon. We would like to trust you [but need more information]."
Trust is important. Eli Lilly was burned publicly once before by an accidental release of the e-mail addresses for nearly 700 subscribers to its Prozac.com e-mail alert. The company certainly doesn't want a repeat performance of that, and no company wants to be left holding the bag in the event of a data breach because of the negligence of a cloud provider.
So, what can you, as a corporate officer, do about this? Tanya Forsheit, founding partner at the Info Law Group has some advice. First, Forsheit told me, you should be aware that "many providers of cloud services tends to offer one-size-fits-all contracts. You shouldn't just sign up for them. You need to negotiate."
In fact, Forsheit thinks you should start looking at the legal aspects of any cloud deal long before you get around to talking about the contract. "You should ask questions about data security and privacy during the preliminary stages, even before you get to the contract. You should ask them what kind of privacy and security controls they have, whether they'll let you audit their security, and what they will agree to in regards to liability. These are all places where there's room to compromise. On your side, you need to know what level of risk you're ready to take. If a provider won't agree to even consider negotiating, that's a big red flag, You need to be ready to walk away from the deal."