Both state and federal governments are seeking ways to ensure citizens’ personal information is secure and remains private, but the laws vary wildly and are sometimes frustratingly complex. For businesses, it is not always clear which laws, if any, the business is subject to. Once applicability of the law to a business is determined, the process of evaluating compliance of IT systems and policies can be time-consuming.
Now imagine you are the vendor of software products that could potentially store statutorily protected data for your customers. You potentially have just inherited compliance evaluation projects for every one of your customers.
For many vendors, such compliance demands are too burdensome, and a quick review of their cloud computing agreements shows that their methods for handling these requirements often consist of avoiding the subject altogether or by expressly absolving themselves of the responsibility. Many vendors attempt to avoid liability by including provision in their contracts disclaiming any liability for data breaches or compliance with data security regulations. Cloud customers that do not carefully evaluate cloud agreements can find themselves holding the bag for data breaches that may have been caused by their cloud vendors.
Some statutes, such as the recently revised HIPAA rules, have addressed such contractual liability avoidance by specifying that business associates of companies covered by the statutes are also liable for data breaches. As the cloud computing industry matures, vendors will learn that they have to comply with statutory security requirements. During this maturation, new and possibly standardized methods to share responsibility for security of customer information will emerge. For now, customers should seek the advice of experienced counsel before entering into any cloud computing agreement to mitigate or eliminate vendor avoidance and to ensure the vendor will adequately protect protected personal information.