United States: Head In The Cloud? Achieving Savings While Managing Risks In The United States
Last Updated: May 25 2012
Article by Vivian A. Maese

What is "the Cloud"? That depends on whom you ask. Answers currently run from Apple and its competitors offering storage and music and file synchronization to customers who are individuals, to very large vendors at a global scale servicing very large enterprises as customers. This is a frontier in many ways, and if you are going to embark on a Cloud transaction, you will be well advised to ask many questions, some of which may seem basic. While this article is focused on the laws in the United States, the risk management suggestions highlighted here are applicable anywhere on earth.

Fundamentally, moving to the Cloud is an outsourcing transaction, i.e., a company engages a third party to perform a function that the company would otherwise have performed for itself. Cloud computing is a business model that enables organizations to achieve potentially significant cost savings by sharing services, software and platforms in a third party's data center, instead of operating in the company's own data center.

Often Cloud providers will dazzle the prospective client with the potential for very significant cost savings, which is very alluring in this economic climate. The mode of operation used by some important name brands in the Cloud space is to put a "standard form contract" in a prospective client's hand accompanied by a smile and a request that you "sign here." Don't do it! Don't sign a standard form for something as important as a data center, which is the heartbeat of your operation. Go directly to your lawyer. This warning is especially relevant to regulated financial services institutions. If you sign the standard form and you are subject to any type of risk management governance-related obligations, which is the duty of every Board of Directors, you may not be able to demonstrate that the company has adequately managed its risks. Risk management functions for financial institutions after Dodd-Frank are especially highlighted. For example, FINRA has a list of examination priorities for 2012, and cybersecurity and outsourcing are on that list. It is unlikely that the vendor's standard form, drafted for its purposes, will provide the company with the control and assurances that it will need when FINRA examiners arrive.

Not intending to alarm, but if a data center is being replaced by a Cloud provider, it is a "bet the farm" transaction.

Remember: great deals begin with great due diligence. Conduct your due diligence assiduously, and negotiate carefully, especially if you are in the financial services industry.

What follows is focused on financial services companies, but many issues of control over data and processes and the ability to have continuity of business functions are applicable to any company considering Cloud services.

In financial services, you must take account of the important macro-regulatory compliance themes for U.S. financial services companies, which include:

  • Dodd-Frank Act and related Bank & Securities Financial Stability Outsourcing Regulations;
  • Sarbanes-Oxley Section 404;
  • Laws pertaining to Cybersecurity and Data Privacy; and
  • Record Retention.


Here are a few starting points.

1. Performance First

Can the Cloud provider actually do the job that you need done? Getting an answer will require a great deal of conversation with the prospective vendor. Consequently, all discussions with a Cloud provider should begin with a Non-Disclosure Agreement. Your company will want to protect its proprietary information during the conversation. In order to determine whether the Cloud provider can actually provide what you need to run your business, you will necessarily be sharing a lot of information. During the early days of the conversation, your company will need to disclose to the Cloud provider a fair amount of information about procedures and processes and data that may be competitively sensitive.

Also during the initial stages, probe how quickly the Cloud provider recovers services and data if there is a failure of the technology for any reason. Almost perfect uptime for on-line capabilities, and very well devised and operated data protection are fundamentals in your own data centers, and they must be present in the company's Cloud arrangement. A relationship with your Cloud provider relies on trust – once they are hired, they are not easily fired. Verify capabilities in advance, and write a contract that allows you to continue to monitor and react if things change during the contract's term. The company should be comfortable with the Cloud provider they select and this aspect of due diligence will go a long way to ensure that comfort.

Importantly, you should ensure that the Cloud provider understands what it is getting into. Depending on the substance of the service being provided – for example, support of a consumer banking application – the Cloud provider needs to understand that bank regulators may examine the Cloud provider as if it is a regulated entity.

The post Dodd-Frank outsourcing regulations – effective and proposed – are clear that when a company outsources a function, the company is not off the hook for regulatory compliance. Do a careful inventory of the regulations that pertain to the service(s) that you propose to move to the Cloud, validate that the Cloud provider can perform the functions and clearly document your needs in the Cloud agreement. Be sure that you have contractual and actual capabilities to audit and require corrective actions and even terminate if necessary so that your company's obligations to regulators can be satisfied, and the Company's own internal operational risk management requirements are met.

Cloud providers that understand the culture of regulatory compliance will likely be a better fit for a financial services company. Having a Cloud provider that is learning on the job isn't a good idea.

2. Cybersecurity and Data Privacy

Two areas of very intense focus by financial services regulators at present are cybersecurity and data privacy. When thinking about these issues in the Cloud, the Company really does need to create an inventory at the data element level to understand the kind, character, and privacy/cybersecurity implications of the information the Company will entrust to the Cloud provider. Is it information that relates to a person that may be sensitive like social security numbers, financial account identifiers and balances, or employee health information? Identifying the location of the servicer of the data (your Cloud provider may have locations in multiple jurisdictions), where will it be housed, where in the world it might be sent or reside? Do the involved jurisdictions have laws and regulations that impact your business, or your obligations to manage the data? For example, is personal information coming from a country that has data protection legislation/regulations that requires notification of the individual as to how that information is being used? Do you or does the Cloud provider have the necessary capability to make such notifications? Which of you will absorb the costs in the event the data is lost or stolen, if any? Is the information entrusted to the Cloud proprietary or otherwise valuable intellectual property such as trading algorithms or a database of corporate client information? If so, evaluate the information according to its criticality to your business – will the loss or corruption or misappropriation of the information create an operational or legal problem, or perhaps do reputational harm or cause you direct economic loss or enable a competition?

After the company understands its own position, it can begin to evaluate the security of the Cloud provider. Often a map or diagram of the flow of information from the company to the Cloud provider and back, or to and from other destinations, and can help you to understand how and where the data moves, and what procedures, processes and technologies are in place to keep the data safe and protected at each step.

Bad actors in cyberspace are increasing both in number and sophistication. The Company should ascertain that your Cloud provider has a dedicated, highly competent Cybersecurity staff that has high visibility and respect in its own organization. During conversations find out whether the Company focuses on dealing with the continuous evolution of "hacker" incursions into on-line operations. Some additional things to look for in a Cloud provider are background checks for employees, qualification and standards for those employees, and a culture sensitive to security issues. Important basic questions include: Is the company's data encrypted during transmission? While it is in storage? Is their employees' access to data restricted to people assigned to your account? Do those people also work on your competitors' accounts? Are there sub-Cloud providers? If so, have the Cloud – sub-Cloud relationships and interactions been subject to the same scrutiny as you are applying to your contract with the Cloud provider? What is the Cloud provider's process for removing data ("scrubbing" the disks and the memory) when equipment is replaced or upgraded? What happens to your company's data when the contract expires? Are transition services back to the company or to another Cloud provider carefully considered and documented? What provisions are in place in the event that the contract with the Cloud provider is terminated?

If your company is a public company, the Securities and Exchange Commission, Division of Corporate Finance, CF Disclosure Guidance: Topic 2 – Cybersecurity, October 13, 2011, requires your company to disclose risks specifically associated with outsourcing transactions. Will your contract with a Cloud provider support you in documenting the existence of risks (and the approaches in place to mitigate them)?

Cloud services agreements, like any other outsourcing arrangement, need to fit into the company's overarching rubric for risk management. The company needs to assure itself, and to be able to assure its Board, its shareholders and its clients if called upon to do so, that the Cloud provider is secure, safe, and well managed, before contract execution. Furthermore, the company needs to be in a position contractually to ensure that the Cloud provider stays that way for the life of the contract. Think through what your contingency plan will be if there is a degradation in the service provided during the contract term, or there is a problem in the region where the services are provided.

3. Disaster Recovery Capability

Here again, you should think about what you would expect from your own data center operators, and this will give you a base line to this important consideration when managing operational risks. Be sure you have reviewed and are satisfied with the Cloud provider's approach to disaster recovery.

4. Record Retention (and Retrieval)

Once you have begun to operate in the Cloud, your company is no longer in direct command of its data. Record Retention and the ability to preserve and retrieve records comprehensively and quickly for company business, investigations, examinations and litigation is important. Make sure that the company's contract with the Cloud provider is consistent with the regulations and the required procedures in the event of a litigation (e.g., can the Cloud provider perform the steps necessary for a litigation hold on the records or email in their custody?) Jurisdiction in the Cloud is not necessarily intuitive. A useful step is to designate a jurisdiction in your contracts.

Be careful that arrangements for Record Retention, which often involve third parties, are modified to give you control of your data during and after the contract.

5. Other Issues

While we have addressed many questions here. The list is comprehensive, but not exhaustive. Your business will have its own related considerations. Another area that will be of concern to most companies pertains to tax issues depending on the location(s) of the service provider and the company, and related factors implicating permanent establishment or transfer pricing.

Moving to the Cloud, which sounds easy, is anything but easy from a legal point of view. Nevertheless, the level of care suggested here is needed. At the end of the day, the Company will want to actually realize its anticipated savings, and not be unhappily surprised months or years into the relationship

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

More Popular Related Articles on Information Technology and Telecoms from USA
Six months after the U.S. Court of Appeals for the Fourth Circuit reversed the district court’s dismissal of Rosetta Stone’s trademark infringement lawsuit against Google, the parties issued a joint statement today announcing that they have settled their legal dispute.
A large US company recently outsourced its IT functions and has begun to use cloud computing vendors, or other service providers, to store or process data.
CNN reports that the Cybersecurity Act of 2012 (SB 3414) has failed to pass the US Senate. A cloture vote failed by a vote of 42-46, mostly along party lines.
 
In association with
Recently viewed items tracks each article you read and gives you a quick link back to that article if you need to review it again.
To activate recently viewed, you just need to login or register with us above.
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
Free News Alert
 
News Alert|Login|Register
Register for Access and our Free Biweekly Alert
Close Me
Email Address
Company Name
Password
Confirm Password
Mondaq Topics -- Select your Interests
Accounting and Audit
Anti-trust/Competition Law
Consumer Protection
Corporate/Commercial Law
Criminal Law
Employment and HR
Energy and Natural Resources
Environment
Family and Matrimonial
Finance and Banking
Food, Drugs, Healthcare, Life Sciences
Government, Public Sector
Immigration
Insolvency/Bankruptcy, Re-structuring
Insurance
Intellectual Property
International Law
Litigation, Mediation & Arbitration
Media, Telecoms, IT, Entertainment
Privacy
Real Estate and Construction
Strategy
Tax
Transport
Wealth Management
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.