Solution providers should review their contracts regarding their liability involving a breach of a customer's data, otherwise they could be in for trouble, said Zenith Infotech's general counsel during a general session at the PSA platform company's Cloud Summit in Moon, Pa.
"Hire counsel to draft your initial agreement to make sure you get it right the first time. You don't want to go back and change agreements or not comply with the law. Make revisions sparingly," said Bradley Gross, an attorney at Becker-Poliakoff, a Fort Lauderdale, Fla.-based law firm.
Contracts should be especially scrutinized for VARs and MSPs selling cloud solutions to customers, Gross said, because of all the parties that theoretically might own or touch the data. Any good vendor is likely to have an airtight policy regarding its liability and contracts need to very explicitly detail the solution provider's liability as well, he said.
VARs are exempt from liability in many cases as long as they include the correct legal wording in contracts, he said.
"From an MSP perspective, it's always ambiguous on whether you give a special layer of security," Gross said. "For example, HIPAA relates to entities that personally deal with health information. But you're not a doctor or insurance company. With Sarbanes-Oxley, you have no responsibility as an MSP, but the companies giving you data do."
Gross stressed that that's the law right now but a new SAFE Act currently under discussion in Washington could change the game.
"You guys don't have laws governing data security besides the High Tech Act. Keep your eye on the SAFE Act. It might put responsibility on how much security you have to offer customers. At best it will be out in mid-2012, assuming there are no changes to it," Gross said.
VARs are still subject to negligence laws, Gross said, meaning that they could be held responsible if they knew of a problem or knew that it was their duty of care and didn't meet that duty of care.
"Then you're going to have a problem. It's negligence. Not only did you know [of a problem] but you willfully ignored it," he said.
Solution providers are also subject to Federal Trade Commission laws that say they must perform the scope of the contract. "If you don't do what you say you're doing, that's a problem," he said. "They will go after you for unfair trade practices if you promise a customer something and don't do it."
Gross offered two suggestions to VARs selling into the cloud.
First, they shoud check with their upstream providers to understand their security parameters. "You can't offer that which you don't have," he said. "If I offer you a [encrypted cloud] solution and you type in 'Charlie' and then you can see [unencrypted] codes, don't say you have the best encryption in the business."
Second, understand the data storage chain, Gross said. Know where the vulnerabilities are so you know what to promise and not promise.
"Create a security plan for monitoring, detection, escalation, remediation and notice," he said.
Next: Corrupt Data Liability