Thursday, August 4, 2011


Cloud Perils: Risks, Security & Insurance


Joshua Gold

Originally published in the Hospitality Upgrade - Summer 2011
Used with permission

Those considering cloud computing must size up the risks of relinquishing that control over data to a third party.

The trend toward cloud computing continues to pick up momentum. Increasingly, individuals and corporations are entrusting to "the cloud" information as varied as family photos, vacation videos, contact information and sensitive business information, including customer account data and employee information.

Those selling cloud computing services speak to the numerous advantages of cloud computing, including claims of cost savings and enhanced data security. There has been some debate regarding the accuracy of these claims, especially involving those promises of heightened data security. Individuals, small businesses and large institutions opting for cloud computing give up one central dynamic: direct control of the stored or processed information. Those considering cloud computing must size up the risks of relinquishing that control over data to a third party. Fueling the debate over the safety of cloud computing is a recent data security breach suffered by customers of one of the largest entertainment and electronics companies in the world. That company had entrusted data to a cloud computing company that was in turn infiltrated by computer hackers. According to reports of the incident, millions of customer account files (including credit and debit card information) were compromised when the hackers infiltrated the cloud site and improperly accessed the sensitive account information. Notably, the hackers actually had a legitimate account set up with the cloud computing site (albeit with phony identifying information and fraudulent intentions), as opposed to anonymously hacking into another's network.

Those considering cloud computing should perform due diligence with respect to how the cloud computing company erects safety walls between the data stored and processed for individual customers. Indemnification and insurance should also be discussed. Businesses should also explore whether they would have to disclose to their customers, employees and potentially others that certain data that they might have an interest in has been supplied, shared or transmitted to a third party for storage or processing. Additionally, businesses may wish to consider whether there are certain categories of information that are simply too sensitive to provide to an external source and, therefore, must remain off of the cloud.

Businesses can help make informed decisions regarding the extent they use cloud computing by having risk managers working in tandem with their IT departments and in-house attorneys to protect data that is created by the business or entrusted to it by outside entities and individuals. One starting point is developing a data security protocol which establishes clear directives regarding the handling of and access to information within the organization and that information which might be transmitted outside the institution as part of cloud computing. Virtually any hospitality firm will have its own business and employee information electronically captured. So too will it have customers' e-data, including credit card information and other information gathered upon checkin and through rewards programs. An important step is to inventory the information possessed and determine its sensitivity. Categories of information calling out for heightened protection include: health information, personally identifying information of customers and employees, certain types of non-public financial information, trade secrets, customer lists and business processes that yield competitive advantages. Once such information is identified for heightened protection, it usually is not enough to simply guard against external threats of unauthorized access. It is also important to make intelligent decisions about internal access to protected classes of information. This applies for cloud computing too: businesses should find out what levels of employees within a cloud computing firm have access to information. Not surprisingly, some cloud computing firms have several other divisions and business enterprises. It is important to know who has access and to what categories of information to get a handle on both the external and internal hacking threat.

Insurance coverage is available for losses arising from computer fraud or theft under both existing and new stand-alone insurance products. Some of this coverage is quite valuable but should never be regarded as "customer-friendly."

Policy terms should be closely scrutinized to determine whether the use of cloud computing would alter or reduce coverage. Beware, for example, clauses purporting to condition coverage on the absence of errors or omissions in the data security measures employed by the policyholder. Such clauses may be exploited by insurance companies arguing that the policyholder was somehow derelict in safeguarding computer data from hackers, among others. Furthermore, some policies may attempt to limit insurance coverage for data breaches occurring in a computer not actively connected to a network.

Risk abounds when dealing with electronically captured information. It is therefore no surprise that cloud computing entails risk as well. Data security measures coupled with risk transfer in the form of insurance coverage and indemnification from the cloud computing firm can serve as a financial buffer when the data genie escapes the bottle.

About Anderson Kill & Olick, P.C.

Anderson Kill practices law in the areas of Insurance Recovery, Anti-Counterfeiting, Antitrust, Bankruptcy, Commercial Litigation, Corporate & Securities, Employment & Labor Law, Health Reform, Intellectual Property, International Arbitration, Real Estate & Construction, Tax, and Trusts & Estates. Best-known for its work in insurance recovery, the firm represents policyholders only in insurance coverage disputes, with no ties to insurance companies and no conflicts of interest. Clients include Fortune 1000 companies, small and medium-sized businesses, governmental entities, and nonprofits as well as personal estates. Based in New York City, the firm also has offices in Newark, NJ, Philadelphia, PA, Stamford, CT, Ventura, CA and Washington, DC. For companies seeking to do business internationally, Anderson Kill, through its membership in Interleges, a consortium of similar law firms in some 20 countries, assures the same high quality of service throughout the world that it provides itself here in the United States.

Anderson Kill represents policyholders only in insurance coverage disputes, with no ties to insurance companies, no conflicts of interest, and no compromises in its devotion to policyholder interests alone.

The information appearing in this article does not constitute legal advice or opinion. Such advice and opinion are provided by the firm only upon engagement with respect to specific factual situations

Joshua Gold, Esq.
Anderson Kill & Olick, P.C.
1251 Avenue of the Americas
New York, New York 10020-1182
Tel: 212-278-1000
Fax: 212-278-1733

No comments: