OpinionsOutsourcingStrategy

No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall -- in the cloud. However, there is growing consensus about what companies should ask cloud vendors to maintain a secure IT environment and avoid potential legal risks associated with the cloud.

General areas of concern surrounding the cloud are similar to those of traditional IT:

The first question you should consider is whether you are willing to put your company data in an environment where you are not in control of most of the terms of your engagement.

Because many leading cloud vendors are huge entities with an even larger customer base, fine details of an SLA aren’t always negotiable. Often, SLAs are simply forms presented on a “take-it-or-leave-it” basis. As such, the first question you should consider is whether you are willing to put your company data in an environment where you are not in control of most of the terms of your engagement. If you’re not comfortable with this, I recommend you to look for a provider that is willing to discuss the terms of service.

Los Angeles city officials were able to negotiate their contract for Google applications in the cloud. But if you’re not the second biggest city in the US, you may not be as lucky.

If you’re new to cloud storage, consider prioritizing data storage. Many companies kick off a move into the cloud by migrating non-core data first. This allows them to trial the service and determines if it was cost-effective without risking core business functions.

For example, a law firm that is new to cloud computing might decide to place back office information in the cloud -- payroll, employee benefits -- before moving privileged and confidential client information outside the standard network firewall. 

Assuming you have a proposed SLA with a potential cloud vendor that is negotiable and you are ready to place some data in the cloud, there are some additional services you may want to look into before signing on the dotted line.

This is a slight misnomer since the purpose of cloud computing is to achieve economies of scale by sharing facilities; however, there may be scenarios in which having a dedicated cloud infrastructure makes sense.

If you have particularly sensitive information, you may want the cloud vendor to provide extra protections. For example, while there seems to be growing understanding that cloud providers are not business associates under HIPAA, this isn’t universally known. You might want the cloud provider to agree to adhere to HIPAA standards, even if they’re not required by law to do so.