Businesses today are increasingly turning to cloud computing solutions and accumulating data in the cloud at a staggering pace. Although cloud solutions have many advantages, they also present challenges. For example, cloud providers generally do not customize the cloud environment for any particular customer's business needs given the multi-tenant nature of cloud solutions. In addition, complying with data privacy and cybersecurity regulations in the cloud environment requires special consideration.

Prudent practices dictate that customers conduct due diligence on providers and the security of their solutions. Successful and compliant use of cloud computing requires businesses to fully evaluate the nature of the data to be placed in the cloud, the associated data privacy and cybersecurity laws applicable to that data, and the structure and location of the cloud solution itself. This article describes five privacy and security-related questions that a general counsel should ask regarding cloud services.

Where Will the Data in the Cloud Environment Be Stored, Processed and Transferred?

In a traditional IT setting, a business knows where its data is processed and stored. In a cloud computing environment, however, that may not be the case. A cloud provider typically maintains the freedom to move data in order to maximize resource usage across a multi-customer base, facilitating a lower cost solution than achievable under traditional outsourcing. Accordingly, data may exist or be accessed (including remotely) from numerous locations that may change from time to time, triggering data transfer requirements. In particular, the EU General Data Protection Regulation ("GDPR") regulates the transfer of data to countries not deemed to have adequate data protection laws. Transfers of data to such countries must be accomplished through implementation of permitted regulatory measures, and the permitted means for transfer should be set forth in the cloud contract.

What Data Safeguards and Protocols Will Apply to Company Data in the Cloud?

Providers are becoming more sophisticated in understanding the need to develop cloud solutions designed to meet regulatory requirements, such as obligations under the GDPR and US data privacy laws to safeguard personal data. Similarly, the Safeguards Rule under the Gramm-Leach-Bliley Act requires that a financial institution develop a written information security plan describing how it will protect nonpublic personal information, and OCC guidance requires financial institutions to implement risk management processes for third-party relationships. Similarly, the Security Rule under the Health Insurance Portability and Accountability Act requires that covered entities implement administrative, physical and technical safeguards to protect the security of electronic protected health information. Non-governmental organizations, such as the Payment Card Industry Data Security Standards Council, may also impose similar requirements on their members. Several states also have data security requirements. Accordingly, cloud contracts will need to address the provider's obligations to safeguard personal data in a manner that allows the customer to remain compliant.

How Will the Business Monitor the Cloud Provider's Compliance with Data Security and Privacy Protocols?

Many privacy laws and regulations require that the customer maintain the ability to monitor the performance of third party providers, such as by conducting audits. However, in many cases, a cloud provider will not—or may not be able to— offer broad audit rights, either for policy and risk reasons or because the cloud provider is relying on a web or network of data centers provided by other third parties and subprocessors. In such cases, the customer should ask the provider what types of third-party audits or certifications of their facilities they routinely obtain. Cloud computing contracts should address provider obligations to regularly conduct such audits and maintain such certifications, as well as obligations to provide audit results to the customer.

How Should the Cloud Contract Address Data Breach Notification Requirements?

In a cloud computing environment, a business is dependent on the cloud provider to notify the business if a breach occurs and to provide it with necessary information regarding the breach in order for the business to perform investigations or diligence or provide notifications as required by various laws. The customer and provider should negotiate terms and conditions around data breach notification, including what constitutes a data breach, the responsibility and liability associated with a data breach, and the timing of the notification of a breach.

What Rights Do Third Parties Have to Access Data by Means of Legal Process?

The location of data is also important for assessing the risk of third-party access through compulsory legal process. Recent cases suggest that the US government's ability to access US data stored outside of the United States through process served on a US provider is in a state of flux. On the other hand, storing data in a cloud environment may not alter the customer's obligations to produce its own documents through legal process. Location-of-data issues are further complicated by countries having passed "blocking statutes," which limit or prohibit exporting certain information outside the country. Such information may still be subject to US discovery rules if a US party has control over the information, creating a potential conflict of laws. Global companies should understand the complexities associated with responding to legal process across multiple jurisdictions for data stored in the cloud.

Originally published 11 October 2017

Visit us at

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2017. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.