A sometimes overlooked but potentially significant liability exposure for any company that uses the “cloud” to remotely store, process or distribute data is the service provider contract between the company user and its data center provider. Specifically, the data privacy and security terms of that contract.
From a privacy standpoint, the contractual provisions concerning compliance with HIPAA, COPPA, the Gramm-Leach-Bliley Act and other federal and state privacy protection laws, to the extent applicable to a particular data center user, should be spelled out in the contract. Equally important are the contractual provisions concerning data breach notification responsibilities (or disclaimers) of the company user and the data center provider. The governmental notification requirements vary from state to state, which may call into play the “choice of law” provisions in the contract.
Other data privacy and security contractual provisions to consider are indemnities, warranties, cyber insurance and emergency contact procedures relating to data center security breaches. This would also include provisions, among other things, to assure that the company is able to reliably access its data on demand throughout the term of the contract, to retrieve or move its data at the conclusion of the contract, and to make sure that the company’s data is completely removed from the data center after the company has directed the service provider to do so, at the conclusion of the contract. It would also include provisions to assure that access to the company’s data is limited only to those with the company’s permission, and how the service provider will protect against unauthorized access. Depending on the circumstances, many additional contract terms may be necessary.
Companies that contract with data centers should consider reviewing their data center agreements to determine whether these privacy and data security provisions are included, or if circumstances call for additional terms to address these topics.