The following is an excerpt from Cloud Computing for Lawyers, Chapter 5: Privacy Laws and Security Considerations.
Cloud-Computing Service Questionnaire
Although absolute security is impossible, and no law firm can be expected to achieve it, lawyers must take reasonable steps to ensure that their client’s data is securely stored and remains confidential. The best way to accomplish that is to learn as much as possible about the way your data will be handled by the cloud-computing provider because the security of your firm’s data is of paramount concern. Ask the right questions, ensure that you are satisfied with your vendor’s responses, and negotiate an agreement that protects both your interests and your client’s data.
Provided below is a list of the questions to ask any cloud-computing provider (this list is not exhaustive):
1) What type of facility will host the data?
2) Who else has access to the cloud facility, the servers and the data and what mechanisms are in place to ensure that only authorized personnel will be able to access your data? How does the vendor screen its employees? If the vendor does not own the data center, how does the data center screen its employees?
3) Does the contract include terms that limit data access by the vendor’s employees to only those situations where you request assistance?
4) Does the contract address confidentiality? If not, is the vendor willing to sign a confidentiality agreement?
5) How frequently are back-ups performed (the more often, the better)? How are you able to verify that backups are being performed as promised?
6) Is data backed up to more than one server? Where are the respective servers located? Will your data, and any back up copies of it, always stay within the boundaries of the United States?
7) How secure are the data centers where the servers are housed?
8) What types of encryption methods are used and how are passwords stored? Is your data encrypted while in transit or only when in storage?
9) Has a third party, such as McAfee, evaluated or tested the vendor’s security measures to assess the strength of, among other things, firewalls, encryption techniques, and intrusion detection systems? Are the audits of the security system available for your review?
10) Are there redundant power supplies for the servers?
11) Does the contract include a guarantee of uptime? How much uptime? Does the contract include historical data regarding uptime or will the provider give you that information? What happens in the event that the servers are down? Will you be compensated if there is an unexpected period of downtime that exceeds the amount set forth in the agreement?
12) If a natural disaster strikes one geographic region, would all data be lost? Are there geo-redundant back ups?
13) What remedies does the contract provide? Are consequential damages included? Are total damages capped or are specific remedies limited?
14) Does the agreement contain a forum selection clause?How about a mandatory arbitration clause?
15) If there is a data breach, will you be notified? How are costs for remedying the breach allocated?
16) What rights do you have upon termination? Does the contract contain terms that require the vendor to assist you in transitioning from their system to another?
17) What rights do you have in the event of a billing or similar dispute with the vendor? Do you have the option of having your data held in escrow by a third party, so that it is fully accessible in the event of a dispute? Alternatively can you back up your data locally so that it is accessible to you should you need it?
Excerpted from Cloud Computing for Lawyers by Nicole Black. Published by the American Bar Association, 2012.