Professional Documents
Culture Documents
Orporate Ounsel: The Metropolitan
Orporate Ounsel: The Metropolitan
Orporate Ounsel: The Metropolitan
www.metrocorpcounsel.com
®
Volume 20, No. 3 © 2012 The Metropolitan Corporate Counsel, Inc. March 2012
Please email the author at jgold@andersonkill.com with questions about this article.
Volume 20, No. 3 © 2012 The Metropolitan Corporate Counsel, Inc. March 2012
managers working in tandem with their You should also maintain the ability to should also seek protection from the
IT departments and in-house attorneys to audit a cloud provider. Your investors, cloud firms they consider using. Tools to
protect data created by the business or employees, customers and business part- obtain such protection include contractual
entrusted to it by outside entities and indi- ners will expect such due diligence as indemnity/hold harmless provisions and
viduals. A starting point is developing a part of your decision to (essentially) out- additional insured status. Seek indemnifi-
data security protocol that establishes source data hosting and management. cation from the cloud firm in the event of
clear directives regarding the handling of While you may be able to outsource the a security breach that is their fault. You
and access to information within the function of purchasing and maintaining may further be able to condition your
organization, as well as that information computer servers, it is very difficult to business with a cloud firm by becoming
that might be transmitted outside the delegate the responsibility of data secu- an additional insured under the insurance
institution as part of cloud computing. rity. At least one firm that used a cloud- policies of the counter-party. Neither of
Virtually any company that has cus- computing platform found that out the these steps ensures complete protection
tomers (especially retailers) will have not hard way, as they now confront all sorts against a security breach. Nevertheless, it
only its own business and employee of litigation from various stakeholders. is better to have these protections as an
information electronically captured but Insurance Coverage Considerations option than not to have them at all. At a
will also have the e-data of its customers, minimum, a company should always seek
Insurance coverage is available for contractual representations and war-
including contact information and cus- losses arising from computer fraud or
tomer account information. An important ranties regarding the cloud firm’s security
theft under both traditional and new measures and compliance with basic data
step in the process is to inventory the stand-alone insurance products. While
information possessed and determine its safety practices.
some of this coverage is quite valuable,
sensitivity. Certain categories of informa- do not expect it to be customer-friendly.
tion call out for heightened protection, Closely scrutinize policy terms to
including health information, personally determine whether the use of cloud com- “Data security measures cou-
identifying information of customers and puting would alter or reduce coverage.
employees, certain types of non-public For example, a common feature of recent
pled with risk transfer in the
financial information, trade secrets, cus- network security policies involves form of insurance coverage …
tomer lists and business processes that clauses that purport to condition coverage
yield competitive advantages. Decisions on the absence of errors or omissions in can further a business’s risk
should be made as to whether this infor- the data security measures employed by strategy.”
mation is to be part of the business’s the policyholder. Such policy clauses
cloud-computing plan or not. If it is, then may be exploited by insurance companies
perform due diligence with regard to the arguing that the policyholder was some-
cloud-computing vendor’s security, how derelict in safeguarding computer Conclusion
insurance and indemnification obliga- data from hackers, among others. Fur- Risk abounds when dealing with elec-
tions. thermore, some policies may attempt to tronically captured information. It is
Once such information is identified for limit insurance coverage if the data
heightened protection, it usually is not breach occurs when a computer is not therefore no surprise that cloud comput-
enough simply to guard against external actively connected to a network. Accord- ing entails risk as well. Data security
threats of unauthorized access. It is also ingly, policyholders should steer toward measures coupled with risk transfer in the
important to make intelligent decisions selecting insurance policy forms that are form of insurance coverage and indemni-
about internal access to protected classes devoid of as many coverage exclusions fication from the cloud-computing firm
of information. It can be risky (and (aka the fine print) as possible. can further a business’s risk management
unnecessary) to grant company-wide Indemnity And Hold Harmless strategy. Due diligence is key here, as no
access to sensitive business information. Clauses company can truly delegate its data secu-
Instead, under most circumstances, limit-
Those using cloud-computing services rity obligations.
ing the access internally to such informa-
tion based upon necessity and security
clearance reduces the risk of unautho-
rized or improper disclosure of sensitive About Anderson Kill & Olick, P.C.
information. Anderson Kill practices law in the areas of Insurance Recovery, Anti-Counterfeit-
When using a cloud-computing ven- ing, Antitrust, Bankruptcy, Commercial Litigation, Corporate & Securities, Employ-
dor, businesses should find out what lev- ment & Labor Law, Health Reform, Intellectual Property, International Arbitration,
els of employees within that firm have Real Estate & Construction, Tax and Trusts & Estates. Best known for its work in
access to hosted information. Not surpris- insurance recovery, the firm represents policy holders only in insurance coverage dis-
putes with no ties to insurance companies and no conflicts of interest. Clients include
ingly, some cloud-computing firms have
Fortune 1000 companies, small and medium-size businesses, government entities and
several other divisions and business nonprofits as well as personal estates. Based in New York City, the firm also has offices
enterprises. It is important to know who in Newark, NJ; Philadelphia, PA; Stamford, CT; Ventura, CA; and Washington, DC.
has access to the hosted data (and to For companies seeking to do business internationally, Anderson Kill through its mem-
which categories of data) to get a handle bership in Interleges, a consortium of similar law firms in some 20 countries, can give
on both the external and internal hacking service throughout the world.
threat.