The cloud is developing in fast pace towards maturity, it has changed the way we work and innovate forever. As the cloud is moving towards comprehensive Artificial Intelligence platforms, there are hidden challenges to cloud usage. What do you do to tackle cyber risks and what use do you allow cloud providers to have from your company’s data?
In today’s business landscape, the cloud plays a critical role within the modern business strategy. The cloud is growing seven times faster compared to the rest of IT [1] and 83% of enterprise workloads are expected to be in the cloud by 2020[2]. Cloud computing has matured in the last years, providing innovative development services rather than merely cheaper, temporary servers and storage [3]. Without a cloud, there is no chance of catching up or surpassing the competition. The cloud offers businesses capabilities equivalent to that of enterprises, but with lower costs. Businesses use the cloud to overcome barriers to progress, such as limited budget, manpower or even expertise. For example, 72% of the respondents to the Oracle and KPMG Cloud Threat Report 2019 feel the public cloud is more secure than what they are able to deliver in their own data centre [4].
With legal risk management as part of the job, general counsel need to ensure safe and compliant use of cloud computing. Evidently, this requires them to fully evaluate the nature of the data to be placed in the cloud, the relevant data privacy and cybersecurity laws and the structure and location of the cloud itself. However, recent developments may put security at risk. For example, an increasing number of Cloud Service Providers (CSPs) considers the possibility to monetise customer data as an additional business model. Next to their use of personal data to provide their service, cloud service agreements often grant CSPs rights to use data for other purposes, either by themselves or by third parties. As an example, retailers often work with CSPs to produce targeted promotions and store openings, based on an analysis of anonymised consumer data within certain areas. This can lead to certain privacy concerns, especially if there is any possibility to identify individuals despite pseudonymisation.
General Counsel may need to consider the following when contracting with cloud suppliers:
- What do you think about CSPs extracting and selling certain insights from the data you provide to third parties with a commercial interest?
- Additionally, to what extent do you consider your company responsible for the degree of anonymisation deployed by CSPs?
- Does your company bear any responsibility for the processing of anonymised data for commercial purposes by the CSP?
Lack of specificity regarding CSPs rights to use data presents a significant risk in the vast majority of cloud service agreements. In order to minimize this risk, general counsel could adopt three kinds of precautionary measures:
- Parties and CSPs could agree on terms regarding responsibility for and the manner of the anonymisation process.
- The possibility of re-identification could be contractually prohibited.
- Parties could establish a duty to report in the event of an actual identification of a person on the basis of their anonymised data.
Feeling secure by the billions your CSP invests in cybersecurity? Don’t forget about your front door. Companies should be aware of the fact that their own employees frequently are the weakest link in the chain, instead of the CSPs. Email phishing has taken the top spot as the cyber-attack that was most experienced over the last two years [5]. The login details of a single employee are sufficient to provide access to the entire network, sometimes regardless of the security measures taken by the CSPs. It is therefore recommended to provide cybersecurity awareness training to employees in order to enable them to, for example, identify phishing attempts. And for General Counsel, to practice what you preach.
