Page 37 - Cyber Warnings
P. 37
terms, such as providing credit monitoring or distributing breach notices to consumers, can cost
hundreds of thousands of dollars to millions for a single breach.
Government disclosure: Information involved in a breach may include consumer or patient
personal information, proprietary organizational information, or information potentially
damaging to an organization’s reputation. A term requiring notice to an organization prior to
governmental disclosure (in order to obtain a protective order) protects an organization’s
confidentiality interests.
Disclosure of pending investigations/lawsuits: Cloud providers facing investigations by
government authorities (due to the sufficiency of security controls or privacy activities)
should notify your organization in case such investigations affect your service, or confidence
in the cloud provider honoring your agreement.
Breach notification: While some organizations require notification for incidents, the large
number of false positives and low impact incidents often provides little useful data. However,
cloud providers should provide details on “reasonably suspected or confirmed data
breaches as soon as reasonably possible and without undue delay.” Some organizations
may prefer to explicitly call out notification timeframes, but often during a data breach, third
parties like cloud providers cannot provide enough information to make, for example, a 24-
hour notification requirement valuable.
Remediation costs/Liability: Organizations should require, whenever possible, (for) cloud
providers to bear costs of a data breach, including remediation costs and data breach
notification communication/credit monitoring. Additionally, organizations should consider
whether liability capped at a specific value would adequately cover a data breach.
Insurance: Cloud providers should have cyberliability insurance, and limits are negotiable.
While limits are important for covering a data breach, the main concern with insurance limits
is that an organization could become insolvent if it does not have enough insurance to cover
a data breach. Your organization may prefer to set higher coverage expectations for smaller
or start-up cloud providers depending on the sensitivity and volume of data involved.
Privacy
Organizations storing personal information of consumers, patients, or employees should
consider including privacy terms in a cloud services agreement, especially if personal
information covers non-US citizens (such as EU residents, Canada residents, or others).
Personal information includes a wide variety of data types, including IP address or a person’s
image in some locations, so it is critical to work with a qualified privacy professional to
determine which, if any, privacy laws apply to your cloud implementation.
From a privacy perspective, an organization should consider the following when personal
information is transmitted or stored:
37 Cyber Warnings E-Magazine – June 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide