Thoughts on Cloud Service Agreements

The terms “cloud computing” and “cloud storage” are generally used to describe any system of managing or storing data that is not dependent upon a single device or computer. “Cloud computing” usually means that the data can be accessed over the Internet, and frequently means that the data is stored on a server that is owned and controlled by a third party, such as Dropbox or Microsoft.

It’s important to address privacy and security issues that might impact the information being stored “in the cloud.” Here are five things one should consider when making this evaluation:

1. End User License Agreement

If the data will be stored in a cloud service that’s provided by a third party, review the End User License Agreement to confirm that the information will be made available as needed, and that it will be treated confidentially.

2. Special Use Agreements

Understand any ancillary agreements that may need to be added to the End User License Agreement under applicable regulations. For example, HIPAA Covered Entities and their Business Associates are generally required to sign a Business Associate Agreement with third party data storage entities where the service is used to store Protected Health Information.

3. Security and Encryption

Understand any encryption requirements or safe harbors applicable to the type of information being stored. For example, HIPAA Covered Entities can gain protection against breach notification events if Protected Health Information is managed in accordance with standards set by the National Institute of Standards and Technology (NIST) for data at rest (such as on the cloud servers), data in motion (meaning the transmission between your device and the cloud servers), and data at end of life (meaning the final secure disposal of the storage device used to house the information being uploaded).

4. Breach Notification Laws

Understand any breach notification laws that may apply to the information being uploaded to ensure that a mechanism is in place to provide the required notices if a security incident might occur. Most states have laws that require notification if certain personally identifiable information is subject to a security breach.

5. Local Encryption

It’s good practice to encrypt any personal device (e.g., a computer, smartphone or tablet) that you use to manage personally identifiable information, even if the information is stored in the cloud. Cloud-based applications can leave traces of information on such devices because locally stored caches and temporary files are used to manage the user experience. Moreover, it is often helpful to set cloud-based applications to automatically log you in upon launching; however, if an unencrypted device that’s configured this way is lost or stolen, anyone who comes into possession of it has just received a gateway to the data that you’ve been storing in the cloud.

Clients frequently ask whether it is permissible to utilize a particular cloud service to store their sensitive and personally identifiable information. That decision requires a combination of legal analysis and security risk assessment. We can, for example, help you evaluate whether a cloud service is “HIPAA compliant”, and confirm for you that adequate documentation is in place to support the decision to use that cloud service should you be subject to an audit.

Cloud resources are an important aspect of any organization’s IT program. Setting up proper cloud-based systems can help ensure that your data will be stored in a professional and secure datacenter, and can provide you with backup and redundancy systems that far exceed what most businesses are able to build themselves.