10-25-11 | Blog Post
Data security and intellectual property rights in cloud computing are issues that should be addressed prior to signing with a cloud computing provider – outlining the agreements in a contract will help protect your company and your (or your clients’) data. The terms outlined in the JISC Legal’s Cloud Computing and the Law guide bring up a few critical points that may be overlooked by companies seeking a cloud contract:
Contract Termination – Do you know what happens to your data when you decide to leave your cloud provider for whatever reason? While a normal contract outlines the duration, renewal and steps by either party (client and provider) in order to terminate the service, it’s important to know where your data goes after you leave your cloud provider, especially if you are storing sensitive information such as health records.
Can you reliably account for their actions after you cancel services with your cloud provider, knowing that they have a copy of your (or your clients’) data?
This brings us to:
Possession of Data on Termination – The right to have your data returned after contract termination is one key, if not obvious, term that should be detailed in your cloud computing service contract.
Another critical term is the length of time that a cloud provider will keep the data available for retrieval. This can become an issue if a client isn’t aware of the time period and subsequently can’t access their data after termination. It can also be an issue if sensitive data is mishandled after your service agreement is no longer effective and security isn’t upheld.
Leaking or misuse of protected health information (PHI) can mean major federal penalties under HIPAA compliant security standards as enforced by HITECH, and one reason to seek a HIPAA hosting cloud solution provided by an audited data center operator. A HIPAA-trained IT staff will never access your protected health information.
The best way to ensure your data is protected is to know who controls it, which includes:
Who Has Access to Your Data – As your data hosting provider and in accordance with national data compliance regulations; they should not have any reason to be accessing your confidential information hosted on their servers. If your cloud provider is outsourcing any services to a third party, you should also be aware of their access controls and ability to touch your data.
Deletion of Data – Another important term of your contract is if and how data will be deleted from the cloud provider’s environment. Do you know if your data is still deemed your property, or does your cloud provider claim the rights after you use their hosting environment? Be sure to outline a permanent deletion procedure with your cloud provider when drafting your contract.
Read the Top 5 Tips for Cloud Computing Security for more on cloud computing security.