Innovation@work: 4 Key Steps for Managing Legal Risks When Outsourcing Business Functions to the Cloud
By: Eric Langland
In today’s cloud-enabled world, business functions are commonly outsourced to service providers. To perform their services, providers often need to collect and process your employee or customer personal data. While the benefits of outsourcing these functions are clear (lower costs, scalability, better performance), the legal liability associated with keeping this data safe does not always transfer with the data to the cloud-based service provider. The legal landscape in the United States is a mosaic of state, federal, and industry-specific data privacy and security laws, many of which place responsibility on the business even when a service provider misuses or loses data. Here are four key steps a business can take to reduce legal risks when outsourcing business functions to the cloud.
1. Create Standards
Before entering into a relationship with a service provider, take a step back and ask yourself a couple of questions.
- What type of data am I sending to the service provider?
- What are the promises I make to my employees and customers?
- What is the potential financial and public fallout from a data breach?
- What are my legal requirements and what are the standards regulators, shareholders, customers, or employees hold me to?
Once you have an understanding of your standards, sit down with your IT team and draft a data security questionnaire for prospective service providers. A good questionnaire should reveal where service providers store data, the security measures in place, whether they’ve had any recent “security incidents,” the use of subcontractors, third party audit results, and information about their cyber insurance policy.
2. Understand and Negotiate Performance Clauses in the Agreement
Once you understand the service provider’s security measures, turn to the master services agreement (MSA), which governs the performance of the services. Typically, the MSA will have a “representations and warranties” section, where each party makes promises and assertions to the other party. Among other things, you should ask the service provider to “represent and warrant” that its collection, use, storage, processing, disclosure and disposal of your data complies with applicable laws. If the service provider’s answers to your questionnaire reveal any gaps, you should include additional security measures in the MSA that the service provider must enact. Do not expect to get everything you ask for. Implementing security measures to satisfy one customer can be expensive and time consuming for service providers. However, you will never get contractual terms that you do not request.
3. Have a Response Plan for Data Breaches
The MSA should include a clause that requires the service provider to notify you immediately after any suspected security breach. It should also demand the service provider take steps to fix the breach, assist with notifying third parties, and pay for costs associated with recovering the data. While the service provider may rebuff some of your demands, it is better to discuss breach procedures now rather than in the midst of an actual security incident when both parties are scrambling to respond.
4. Negotiate a Right to Indemnification
Who is responsible if your data is stolen from the service provider? The long answer lies in 50 different state data-breach laws, a handful of federal statutes and the terms of your MSA. Even if your service provider is statutorily on the hook for a data breach, your company may still be sued by customers, employees, shareholders, or regulators that claim your business was negligent in selecting its service provider. Seek an indemnification provision in the MSA whereby your service provider defends and indemnifies you for claims and losses related to third-party harm resulting from the service provider’s failure to comply with its security obligations, or from the unauthorized disclosure of your data.
Interested in learning more? Click here to subscribe and receive updates whenever new content is posted!