• The Viridian
  • 200-residential unit development, Boston, MA
  • RoadOne IntermodaLogistics
  • Acquisition of the logistics operations of RoadLink USA, Inc. and certain affiliates
  • Sheehan Health Care Group
  • Sale of 5 nursing homes and 2 hospice companies

The Advantages and Risks of Cloud Computing: Is Your Business Covered?

December 14, 2012

The allure of cloud computing to businesses of all sizes is undeniable.  Cloud computing presents businesses with the ability to outsource various IT related needs at the software (SaaS-software as a service), network (PaaS-platform as a service) or even the entire IT infrastructure (IaaS-infrastructure as a service) level.  By outsourcing IT related needs, businesses can reduce their overhead in IT personnel, equipment and office space, rapidly scale up or down their cloud computing resources according to the needs of the business, and reduce the amount of time management spends addressing IT related decisions and managing technology.

While cloud computing clearly offers attractive advantages to businesses, there are inherent risks associated with operating in the cloud that must be considered.  Depending on whether your cloud service provider (“CSP”) offers private, hybrid or public cloud computing options, your business data may be hosted on servers with data owned by other tenants sharing common resources and technologies.  While this may not seem like an important consideration at first blush, imagine the likelihood of a business with fewer than 50 employees experiencing a cyber-attack on its servers.  Under the circumstances, most people would agree that the relative risk of a cyber-attack is low.  Now, imagine the likelihood of a cyber-attack on a server that hosts data for mega-companies such as Google or Amazon.  In those circumstances, your small business could be subject to the same threat level as a larger business simply by virtue of being mutual tenants sharing services and equipment at the same CSP.   

While utilizing cloud resources shifts many of the IT related burdens to a third party, businesses should not simply assume that all of their IT related problems will be addressed by someone else (i.e., the CSP).  Businesses utilizing cloud related IT resources must also take steps to make sure they minimize the risks associated with operating in this medium.  For example, companies should utilize encryption technology on data being hosted by the CSP and ensure that the service contract with the CSP places obligations on the CSP to respond to and, when possible, take measures to prevent cyber-attacks.  Businesses using cloud resources generally do not have transparency regarding where their data is physically stored and, in some instances, that data may be stored in a different state or country.  In light of this, the service agreement should clearly define the CSP’s obligation, on behalf of the customer, to ensure compliance with U.S. state and federal, and, if applicable, even international, regulation related to privacy and storage of data.  If the hosting server is not located in the United States then export control laws need to be considered as well. 

In addition, businesses should protect themselves against the risks associated with an interruption of service or loss of data by the CSP.  Data should be stored not only on the primary host server, but on a co-located back-up server as well.   As with any service provider, CSPs will look to minimize their exposure arising from an interruption of service or a loss in the service agreement by language limiting the CSP’s liability.  In the event of a prolonged interruption of service, the service agreement should place an obligation on the CSP to provide access to a fallback service provider or give the company the option to utilize their internal disaster response and/or recovery resources.  In addition, any business that has its data hosted by CSP, should strongly consider regularly backing up its own data through an organization unaffiliated with the CSP or, if possible, locally.

In the unfortunate event that your business does sustain a loss from a business interruption or loss of data, to facilitate notifying your insurer, the service agreement should place stringent notification and disclosure obligations as soon as the CSP becomes aware of a loss of data or interruption in service.  While traditional insurance policies are unlikely to provide coverage for losses associated with cloud computing, a new line of insurance associated with cyber risks has emerged as a result of businesses moving their data and computing operations to the cloud.  Any business operating in the cloud should have cyber risk insurance that covers the business not only from third-party claims associated with a breach of security or data arising from a third-party hosted cloud, but also insure against losses sustained by the business as a result of any business interruption or loss of data due to the use of cloud computing services.  This insurance is increasingly important if your business regularly utilizes data containing personally identifiable information (e.g., names, addresses, social security numbers and/or bank account and credit card information) or if your business operates in a regulated environment (e.g., health care or financial industries).  

While the risk of a security breach or data loss from operating in the cloud may seem low, the costs of responding to such an event can be high.  These costs can include defending your business against a third-party lawsuit or an investigation by regulators, and may include the costs of defending or representing the CSP, which you may have unknowingly agreed to indemnify from such legal claims/investigations under the terms of the service agreement.  A business is well advised to weigh the risks and benefits, carefully review the CSP’s terms of service, and decide what step is would need to take to protect itself before deciding to utilizing cloud computing and storage services.

If any aspect of your business operates in the cloud and you would like us to review a service contract with your CSP, any insurance policy related to cyber risks and cloud computing, or would like us to discuss protecting your business in the cloud please contact any attorneys in our Business Group.

This Alert is provided for information purposes only, and does not constitute legal advice.  According to Mass. SJC Rule 3:07, this material may be considered advertising. ©2012 Posternak Blankstein & Lund LLP.  All rights reserved.

Thank you for your interest in our firm. Before sending us an email, we ask that you please confirm your understanding of the following information. Our Web site,, is intended for general use and is not legal advice. Your email is not intended to create, and our receipt of it does not create or constitute, an attorney-client relationship. Any information that you provide to anyone at our firm cannot be considered confidential or privileged unless we agree to represent you. By sending this email, you confirm that you have read and understand this notice.

Processing email...