No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall -- in the cloud. However, there is growing consensus about what companies should ask cloud vendors to maintain a secure IT environment and avoid potential legal risks associated with the cloud.

General areas of concern surrounding the cloud are similar to those of traditional IT:

The first question you should consider is whether you are willing to put your company data in an environment where you are not in control of most of the terms of your engagement.

Because many leading cloud vendors are huge entities with an even larger customer base, fine details of an SLA aren’t always negotiable. Often, SLAs are simply forms presented on a “take-it-or-leave-it” basis. As such, the first question you should consider is whether you are willing to put your company data in an environment where you are not in control of most of the terms of your engagement. If you’re not comfortable with this, I recommend you to look for a provider that is willing to discuss the terms of service.

Los Angeles city officials were able to negotiate their contract for Google applications in the cloud. But if you’re not the second biggest city in the US, you may not be as lucky.

If you’re new to cloud storage, consider prioritizing data storage. Many companies kick off a move into the cloud by migrating non-core data first. This allows them to trial the service and determines if it was cost-effective without risking core business functions.

For example, a law firm that is new to cloud computing might decide to place back office information in the cloud -- payroll, employee benefits -- before moving privileged and confidential client information outside the standard network firewall. 

Assuming you have a proposed SLA with a potential cloud vendor that is negotiable and you are ready to place some data in the cloud, there are some additional services you may want to look into before signing on the dotted line.

This is a slight misnomer since the purpose of cloud computing is to achieve economies of scale by sharing facilities; however, there may be scenarios in which having a dedicated cloud infrastructure makes sense.

If you have particularly sensitive information, you may want the cloud vendor to provide extra protections. For example, while there seems to be growing understanding that cloud providers are not business associates under HIPAA, this isn’t universally known. You might want the cloud provider to agree to adhere to HIPAA standards, even if they’re not required by law to do so.

For legal or client-relation purposes, you may not want to have data stored overseas where law enforcement is not as rigorous or the laws are ambiguous.

If your enterprise has special requirements for data access or use, don’t be afraid to ask the cloud vendor for special service.

If it is it important to you or your customers that there be especially high penalties for violating data privacy, ask for them.

The cloud computing market is changing rapidly. You may want to build in a change-in-ownership or non-assignment clause into your SLA. In such a provision, you might also make clear that the cloud provider will never own the data that they hold for you, even if you decide to change providers.

You need to know specifically what will happen to your data in the event of an earthquake, tsunami or other natural disasters. 

In addition to these terms, you may want to add traditional IT outsourcing contract terms that you’ve grown accustomed to regarding e-discovery functionality and indemnification from breaches, such as the ability to: