It may look to some people as if there’s no negotiating room when entering into agreements with cloud service providers, especially when it comes to protecting sensitive data that may pass through the hands of third parties. Giving up control over access to your own organization’s data strikes many as just one of the compromises you have to make to take advantage of the cost and service efficiencies of the cloud computing model.
But depending on your position you may actually have more data protection cards to play than you think when you set up an agreement with a cloud computing provider.
In a post on Mondaq, Kelly L. Friedman, a partner with the Toronto office of Davis LLP who specializes in electronic information and data privacy issues, recently noted how the Ontario ministry of education persuaded Google (Nasdaq: GOOG) and Microsoft (Nasdaq: MSFT) to add contractual addenda protecting the data privacy of students who access Google Apps for Education and Office 365.
“Essentially, these addenda incorporate some important contractual protections, and create a ‘walled garden’ so that school boards maintain an important degree of control on student data within the ‘walled garden,'” Friedman writes in the post, which is titled “Canada: A Realistic Approach Is Needed To Cloud Computing.” Friedman notes that Google Apps for Education and Microsoft Office365 are being provided free to the school boards for student and teacher use. “Without the bargaining power that comes with pay-for-service, the addenda have done a fine job of reducing the risks of cloud computing for our kids.”
Kelly has some due-diligence desiderata for CIOs and other executives of organizations who actually do have some bargaining power and want to add data protection measures. Among the 12 tips she offers, Friedman recommends carrying out privacy impact and risk assessment before moving data into the cloud and doing a security audit of the service provider.
“Ask the service provide to produce any certifications to national, industry and international standards for data security, including encryption technologies,” Friedman says. Get a picture of how your enterprise’s data will be segregated from other data, and make sure you negotiate to preserve the ownership of your data and the permitted uses of your data by the service provider.
“Ensure you are provided with data breach notification and investigation rights,” and make sure there are contingency plans for data breach and disaster recovery.
“I am not suggesting that we bury our heads in the sand and accept that ‘privacy is dead,'” Friedman concludes. “Quite the opposite. We must become knowledgeable to the point of learning how to take advantage of the benefits of cloud computing while responsibly managing the risks that cloud computing entails.”