Loss of control is one of the main things that gives people pause when they think about putting their data in the cloud. We've all seen how painful a data breach can be, and it can seem almost like asking for trouble to put your data in the hands of someone else. It's hard enough to prepare for a breach when you're in control. How do you do it when you put someone else in charge?
That's where a well-negotiated cloud computing contract comes into play.
Let's face it: A data breach can be expensive, not to mention damaging to your reputation. According to the Ponemon Institute 's Five Countries: Cost of Data Breach report , the average cost of a data breach in the U.S. is $204 per compromised individual. The report analyzes numerous data breaches, and the smallest in the U.S. involves 5,010 people. So, even at the low end of the spectrum, the total price tag was over $1 million.
In past columns I've discussed ways to ensure that your cloud provider is preventing data breaches , but how do you prepare for them so that you don't have to bear these costs?
For starters, your contract should unequivocally state the obvious -- that the cloud provider will not share your data with anybody else. Even with that covered, there's always the risk that your data stored on the cloud provider's infrastructure could be inappropriately or maliciously accessed, used or disclosed.
A data breach involving surveys of people's favorite flavors of ice cream isn't that big of a deal, but the stakes go way up when sensitive data such as Social Security numbers, credit card numbers or personal health information is hacked. So it's important to know in advance what kind of data you'll be storing in the cloud. This knowledge will dictate how strongly you should negotiate for the associated contract clauses. It can help to classify your data, even in a very simple way such as:
* High sensitivity: Regulated, proprietary or business-critical data.
* Medium sensitivity: Personal data that is not highly sensitive.
* Low sensitivity: Unidentifiable or largely public data.
Next, it's important to define who will be responsible for which follow-up actions and/or related expenses in the event of a data breach. Key issues to consider include:
* Notification: You want the cloud provider to notify you about the occurrence of any breach of its system, regardless of whether your data was involved. And you want to it to do so immediately, or as soon as possible thereafter.
* Details: You want the cloud provider to include specific pertinent information in the notification. For example: when the breach occurred, how it was perpetrated, what data was accessed, who committed the breach. Consider the likelihood that the full range of details may need to be provided via a series of notifications as new information becomes available.
* Corrective action: You want the cloud provider to cut off the hacker's access to your data as fast as possible, restore your secure access to the service as soon as possible, apply best-practice forensics in investigating the circumstances and causes of the breach, and make long-term infrastructure changes to correct the root causes of the breach and ensure that it does not recur.
* Indemnification: Due to the high financial and reputational costs resulting from a breach, you want the cloud provider to indemnify you if the breach was its fault. A provider will typically try to limit this to an amount equal to the fees that you've paid over the previous 12 months. Think through the potential impact of such a breach to determine if this would be sufficient to make you whole. Depending upon your needs, you may need to negotiate for something higher, perhaps the amount you've paid over the previous 24 months, or some higher fixed amount. Consider leveraging the fact that the provider have related insurance with a higher limit, and that its indemnification should at least equal that insurance limit.
As with so much else related to cloud computing, the best way to deal with a data breach is to protect your interests beforehand with a properly drafted contract.
Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit thomastrappler.com .
Read more about cloud computing in Computerworld's Cloud Computing Topic Center.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.