The following is an excerpt from Cloud Computing for Lawyers, Chapter 5: Privacy Laws and Security Considerations.

It is imperative to determine the cloud-computing provider’s relationship to the servers that will house your law firm’s data. Does the cloud- computing provider own the servers or do they lease the servers? Do they lease the actual servers or have they contracted with a company that pro- vides Infrastructure as a Service (IaaS).

If the provider owns the physical servers, then determine who has access to the facility, the servers, and the data located on the servers. For example, see the description of the measures taken by Amazon Cloud Services to secure the facilities that house their cloud servers, as described in the sidebar on pages 95–101. You must ascertain what security measures are in place to limit access to the servers and the facility that they are housed in. The answers to these questions will assist you in assessing whether you are comfortable with the security measures that your provider is taking in regard to its own facility.

If your provider leases the physical servers from another party, you must ensure that the owner of the facility has measures in place that will pre- vent unauthorized access to your law firm’s data. This is important because you need to ensure that the cloud-computing provider is familiar with the facility and the procedures and security measures being followed in regard to the servers located on site.

Another necessary part of the process of assuring that adequate measures are being taken is to review the lease agreement between the cloud-computing provider and the company that leases the servers. Does the agreement address security measures? Does it include terms specifying who will have access to the physical building, the servers, and your data? Does it cover the steps that will be taken in the event of a security lapse? Does it specify who is liable in the event of a security breach? Review the agreement carefully and ask questions of the provider. Make sure that you exercise due diligence in fleshing out the security issues and that the answers provided are satisfactory, thus assuring you that reasonable steps will be taken to ensure that your firm’s data is secure.

Likewise, if the cloud-computing provider has contracted with a company that provides IaaS (such as Amazon EC2), meaning it stores your data on cloud servers and owns neither the servers nor the facility where your data is stored, review the cloud-computing provider’s agreement with the IaaS provider and ask many of the same questions…

The more companies that are involved in the storage of your data, the greater the risk that security may be compromised. Ascertaining the mechanisms that are in place to prevent unauthorized access at each level, from the IaaS provider to your cloud-computing vendor, is the first step in meeting your obligation to exercise due diligence before using a new technology in your practice.

Excerpted from Cloud Computing for Lawyers by Nicole Black. Published by the American Bar Association, 2012.