It may not be the first aspect of compliance that professionals consider, but if you want to maintain compliance in the cloud, you will need to establish a service provider contract to codify the vendor's obligations as the custodian of your digital assets.
The problem is, most lawyers haven't developed a full understanding of both the velocity and mobility of digital assets living in the cloud. Consequently, service provider contracts are often vague in spelling out the obligations the vendor must carry out so that customers can fulfill their legal responsibilities relating to the digital assets.
How can you avoid a compliance-in-the-cloud catastrophe? The following five essential strategies should direct your lawyer in helping you achieve compliance in the cloud.
1. Consider jurisdictional limits for cloud service providers
The first strategy relates to mapping out your compliance duties. Despite the media's portrayal of cyberspace as this vast area without boundaries, at any moment in time, your data is in a specific physical location. Even when data is in motion, the data packets are originating from a physical location and moving toward another physical location. Formal legal requirements are inherently defined by the physical boundaries of the jurisdictions, as well as the limits of their enforcement powers and resources.
Many companies overlook the fact that, while laws and regulations may apply, there are jurisdiction limits. Mapping out your compliance duties enables discussions with cloud service providers by providing answers to the following questions:
- Which asset triggers a legal duty: the computer, the data, or the activities of the user or operator?
- Does the legal duty vary if the asset is physically present in a different location?
- Does a different location for any of the assets create new legal duties?
Many companies stumble in negotiating cloud services contracts over issues involving jurisdiction. They often over-regulate the vendor’s ability to deliver cloud-based services because they are concerned that the movement of data to different physical locations will heap additional compliance responsibilities on the company. But mapping out the analysis in advance can better focus the dialogue between you and your lawyer.
2. Document policies for compliance in the cloud
A second strategy concerns document policies and procedures. Many companies overlook the importance of delivering to a cloud service provider documentation that enables the vendor's services to fulfill the legal duties imposed on the company.
Like any other outsourcing transaction, moving to the cloud does not eliminate a company's legal responsibilities. But in building compliance programs, many businesses do so without considering the possibility of outsourcing some portion of the related business activities. As a result, they lack the associated documented procedures in writing.
Before moving digital assets to the cloud, companies need to prepare specific descriptions of required procedures. Not only does this improve the internal compliance function, but it also provides a solid foundation for intelligent discussion with the vendor regarding the scope of services to be provided and, if appropriate, the additional work that must be performed to achieve compliance in the cloud.
3. Create formats for vendor reporting
A third strategy is to develop reporting formats that make it easier to track performance activities by the vendor that support its compliance responsibilities.
For example, if a security incident at a vendor location occurs, what information do you need in order to integrate their response into your compliance–related services? What types of transaction records must be generated in order to integrate those into compliance reporting routines? What types of vendor-related events may require additional reporting not relevant to insourced services? Be prepared to address all of these questions using your reporting mechanism.
4. Develop useful monitoring protocols
The fourth strategy is developing proper monitoring protocols. A staple of any good compliance program is solid monitoring and auditing mechanisms. However, as with all other formal procedures, many existing programs were not developed in anticipation of monitoring third-party service providers. Developing such protocols in advance of the request-for-proposal (RFP) process is especially important when considering cloud services.
Many companies stumble in negotiating cloud services contracts over issues involving jurisdiction. They often over-regulate the vendor’s ability to deliver cloud-based services.
Many cloud-service providers don't include compliance monitoring, or external audit services for that matter, in developing their pricing and service portfolios. As a result, negotiations often stall when a customer's compliance requirements are not fully expressed at the outset of the RFP process. If you have specific audit protocols, identifying and disclosing them as part of the RFP process better assures that the pricing and proposed services are a good fit for your organization.
5. Integrate vendor management protocols
Last, but not least, it is important to integrate vendor management protocols. Many companies don't consider specifically how vendor management services will be extended to embrace cloud services. Existing vendor management programs may require adjustments to accommodate various management functions driven by a careful mapping of compliance requirements, more complete procedure controls, additional vendor reporting and monitoring and auditing services.
With a move to the cloud, companies also overlook the financial impact of additional vendor management services, which must be absorbed internally. Consequently, internal "soft dollar" expenses often degrade the projected ROI for cloud-based services. Better planning, including full cost accounting for the necessary vendor management services program, can help make your ascent to the cloud a smoother flight.
This was first published in February 2011