In the Cloud, a data breach is only as bad as your contract
- 17 February, 2012 03:16
- Comments
Loss of control is one of the main things that gives people pause when they think about putting their data in the cloud. We've all seen how painful a data breach can be, and it can seem almost like asking for trouble to put your data in the hands of someone else. It's hard enough to prepare for a breach when you're in control. How do you do it when you put someone else in charge?
That's where a well-negotiated cloud computing contract comes into play.
Let's face it: A data breach can be expensive, not to mention damaging to your reputation. According to the Ponemon Institute 's Five Countries: Cost of Data Breach report , the average cost of a data breach in the U.S. is $204 per compromised individual. The report analyzes numerous data breaches, and the smallest in the U.S. involves 5,010 people. So, even at the low end of the spectrum, the total price tag was over $1 million.
In past columns I've discussed ways to ensure that your cloud provider is preventing data breaches , but how do you prepare for them so that you don't have to bear these costs?
For starters, your contract should unequivocally state the obvious -- that the cloud provider will not share your data with anybody else. Even with that covered, there's always the risk that your data stored on the cloud provider's infrastructure could be inappropriately or maliciously accessed, used or disclosed.
A data breach involving surveys of people's favorite flavors of ice cream isn't that big of a deal, but the stakes go way up when sensitive data such as Social Security numbers, credit card numbers or personal health information is hacked. So it's important to know in advance what kind of data you'll be storing in the cloud. This knowledge will dictate how strongly you should negotiate for the associated contract clauses. It can help to classify your data, even in a very simple way such as:
* High sensitivity: Regulated, proprietary or business-critical data.
* Medium sensitivity: Personal data that is not highly sensitive.
* Low sensitivity: Unidentifiable or largely public data.
Next, it's important to define who will be responsible for which follow-up actions and/or related expenses in the event of a data breach. Key issues to consider include:
* Notification: You want the cloud provider to notify you about the occurrence of any breach of its system, regardless of whether your data was involved. And you want to it to do so immediately, or as soon as possible thereafter.
* Details: You want the cloud provider to include specific pertinent information in the notification. For example: when the breach occurred, how it was perpetrated, what data was accessed, who committed the breach. Consider the likelihood that the full range of details may need to be provided via a series of notifications as new information becomes available.
* Corrective action: You want the cloud provider to cut off the hacker's access to your data as fast as possible, restore your secure access to the service as soon as possible, apply best-practice forensics in investigating the circumstances and causes of the breach, and make long-term infrastructure changes to correct the root causes of the breach and ensure that it does not recur.
* Indemnification: Due to the high financial and reputational costs resulting from a breach, you want the cloud provider to indemnify you if the breach was its fault. A provider will typically try to limit this to an amount equal to the fees that you've paid over the previous 12 months. Think through the potential impact of such a breach to determine if this would be sufficient to make you whole. Depending upon your needs, you may need to negotiate for something higher, perhaps the amount you've paid over the previous 24 months, or some higher fixed amount. Consider leveraging the fact that the provider have related insurance with a higher limit, and that its indemnification should at least equal that insurance limit.
As with so much else related to cloud computing, the best way to deal with a data breach is to protect your interests beforehand with a properly drafted contract.
Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit thomastrappler.com .
Read more about cloud computing in Computerworld's Cloud Computing Topic Center.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
- Ponemon Institute, LLC - Experts in Responsible Information Management
- Five Countries: Cost of Data Breach report
- The Cloud Contract Adviser: Making sure your information is secure - Computerworld
- Cloud Computing Topic Center - Computerworld
- Thomas Trappler - IT Procurement Advisory Services (Cloud Computing Contracts; Software Licensing)
- HP ePrint Enterprise mobile printing solution
- SOA Adoption for Dummies
- Transforming Your Business by Transforming Your Processes
- Seven Ways Business Activity Monitoring (BAM) Makes Your Supply Chain More Efficient
- Oracle SOA vs. IBM SOA - Customer Perspectives on Evaluating Complexity and Business Value
-
Face Time - Interview with John Brennan and Robert DiStefano
-
How to implement next-generation storage infrastructure for Big Data
-
Pfizer's Future Depends on IT Transformation
-
Pfizer's Future Depends on IT Transformation
-
Pfizer's Future Depends on IT Transformation
-
Optimised License Management for the Datacenter
Optimised license management is a necessity for all licenses owned by the enterprise. While organisations are starting to understand their license position for the desktop estate, the reality is that licensing in the datacenter presents a daunting set of challenges that require a robust, automated license management solution. Learn about how to address the unique license management requirements of all enterprise IT environments including the desktop and the datacenter. -
Simplifying branch office security
Securing your business network is more important than ever. Malware, botnets and other malicious programs threaten your network—at your central offices and your branch offices alike. Yet enforcing consistent network security throughout your enterprise can be challenging—especially for those of you with branch offices with few users and no IT expertise. This paper introduces a new standard—an innovative, unified, cost-effective solution for managing branch office security, with centralised reporting and a clear process for determining return on investment (ROI). -
Collaborative software delivery: Managing today’s complex environment to improve software quality
IBM Rational Team Concert software can help simplify, automate and govern the delivery process. Based on the open standards Jazz platform, it offers a lean collaborative application life cycle management (ALM) solution with integrated planning, work-item tracking, version control, build management and reporting.
-
Building Simulation Software
-
Electric Power Planning for Regulated and Deregulated Markets
-
Facebook for Dummies®, 2nd Edition
-
Information Nation
-
Linux Complete, Second Edition
-
Database Design and Implementation
-
Beginning Sharepoint Administration
-
Microsoft Train Simulator (Sybex Official Strateg Ies and Secrets)
-
Unified Communications for Dummies®
Get exclusive access to Invitation only events CIO, reports & analysis. 
Comments
Post new comment