Wednesday, March 14, 2012


Cloud considerations


In an article titled Cloud-Computing Risks: Due Diligence And Insurance by Joshua Gold on the Metropolitan Corporate Counsel Web site (, the author asks: "Should a company be sending information to a third-party cloud site that hosts data for other businesses? And just what specific information is being sent: customer information? Trade secrets? Employee health information?"

Gold points out both the pros including claims of cost savings and enhanced data security, and the cons that include data breaches. He suggests making a pre-cloud decision checklist to determine if putting secure data into potentially insecure hands is worth any potential benefits.

One point Gold makes with which most readers of this blog will agree is that "Businesses can help make informed decisions regarding the extent to which they use cloud computing by having risk managers working in tandem with their IT departments and in-house attorneys to protect data created by the business or entrusted to it by outside entities and individuals."

He correctly recognizes that legal counsel is needed - be it in-house or external - to assure that the contract between the organization and the cloud providers has no holes that will cause either party grief and that the data dumped to the cloud is free from information that could cause the organization embarrassment and possibly a great deal of money if compromised.

Gold takes cloud considerations a couple of steps that should be, but often are not, considered.

Insurance "Insurance coverage is available for losses arising from computer fraud or theft under both traditional and new stand-alone insurance products. While some of this coverage is quite valuable, do not expect it to be customer-friendly

Indemnity and Hold Harmless Clauses "Those using cloud-computing services should also seek protection from the cloud firms they consider using."

For all of the above, the bottom line remains, according to Gold: "Due diligence is key here, as no company can truly delegate its data security obligations."

The entire article, which I believe deserves every risk management practitioner's attention, is at

As an aside, while searching the Metropolitan Corporate Counsel Web site for the Gold article, I came across a number of other cloud-related articles at I recommend a visit to the site if your organization is considering, or already is involved with, cloud computing.

No comments: