Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

Updated: August 5, 2019

How to manage legal risks when outsourcing business functions to the cloud

In today’s cloud-enabled world, business functions are commonly outsourced to service providers. To perform their services, service providers often need to collect and process your employee or customer personal data. While the benefits of outsourcing these functions are clear (lower costs, scalability, better performance), the legal liability associated with keeping this data safe does not always transfer with the data to the cloud-based service provider. The legal landscape in the United States is a mosaic of state, federal, and industry-specific data privacy and security laws, many of which place responsibility on the business even when a service provider misuses or loses data. Here are some steps a business can take to reduce its legal risks when outsourcing business functions to the cloud.

1. Create standards

Before entering into a relationship with a service provider, take a step back and ask yourself a couple of questions. What type of data am I sending to the service provider? What are the promises I make to my employees and customers? What is the potential financial and public fallout from a data breach? What are my legal requirements and what are the standards regulators, shareholders, customers, or employees hold me to?

Once you have an understanding of your standards, sit down with your IT team and draft a data security questionnaire for prospective service providers. A good questionnaire should reveal where service providers store data, the security measures in place, whether they’ve had any recent “security incidents,” the use of subcontractors, third party audit results, and information about their cyber insurance policy.

2. Clauses in the agreement

Once you have an understanding of the service provider’s security measures, turn to the master services agreement (MSA), which governs the performance of the services. Typically, the MSA will have a “representations and warranties” section, where each party makes promises and assertions to the other party. Among other things, you should ask the service provider to “represent and warrant” that its collection, use, storage, processing, disclosure and disposal of your data complies with applicable laws. If the service provider’s answers to your questionnaire reveal any gaps, you should include additional security measures in the MSA that the service provider must enact. Do not expect to get everything you ask for. Implementing security measures to satisfy one customer can be expensive and time consuming for service providers. However, you will never get contractual terms that you do not ask for.

3. Data breach procedures

The MSA should include a clause that requires the service provider to notify you immediately after any suspected security breach. It should also demand the service provider take steps to fix the breach, assist with notifying third parties, and pay for costs associated with recovering the data. While the service provider may rebuff some of your demands, it is better to discuss breach procedures now rather than in the midst of an actual security incident when both parties are scrambling to respond.

4. Indemnification

Who is responsible if your data is stolen from the service provider? The long answer lies in 50 different state data-breach laws, a handful of federal statutes and the terms of your MSA. Even if your service provider is statutorily on the hook for a data breach, your company may still be sued by customers, employees, shareholders, or regulators that claim your business was negligent in selecting its service provider. Seek an indemnification provision in the MSA whereby your service provider defends and indemnifies you for claims and losses related to third-party harm resulting from the service provider’s failure to comply with its security obligations, or from the unauthorized disclosure of your data.

Eric Langland

Eric Langland, an attorney at Bernstein Shur, focuses on negotiating IT service provider agreements and building data privacy and cybersecurity compliance programs.

The views expressed are those of the author and do not necessarily reflect the views of the firm or its clients. This article is for general information purposes and is not intended to be and should not be taken as legal advice. He can be reached at elangland@bernsteinshur.com

Sign up for Enews

0 Comments

Order a PDF