Eric Langland
Processing Your Payment
Please do not leave this page until complete. This can take a few moments.
- News
-
Editions
-
- Lists
-
Viewpoints
-
Our Events
-
Event Info
- Women's Leadership Forum 2025
- On the Road with Mainebiz in Bethel
- Health Care Forum 2025
- On The Road with Mainebiz in Greenville
- On The Road with Mainebiz in Waterville
- Small Business Forum 2025
- Outstanding Women in Business Reception 2025
- On The Road with Mainebiz in Bath
- 60 Ideas in 60 Minutes Portland 2025
- 40 Under 40 Awards Reception 2025
- On The Road with Mainebiz in Lewiston / Auburn
- 60 Ideas in 60 Minutes Bangor 2025
Award Honorees
- 2025 Business Leaders of the Year
- 2024 Women to Watch Honorees
- 2024 Business Leaders of the Year
- 2023 NextUp: 40 Under 40 Honorees
- 2023 Women to Watch Honorees
- 2023 Business Leaders of the Year
- 2022 NextUp: 40 Under 40 Honorees
- 2022 Women to Watch Honorees
- 2022 Business Leaders of the Year
-
-
Calendar
-
Biz Marketplace
- News
-
Editions
View Digital Editions
Biweekly Issues
- April 21, 2025 Edition
- April 7, 2025
- March 24, 2025
- March 10, 2025
- Feb. 24, 2025
- Feb. 10, 2025
- + More
Special Editions
- Lists
- Viewpoints
-
Our Events
Event Info
- View all Events
- Women's Leadership Forum 2025
- On the Road with Mainebiz in Bethel
- Health Care Forum 2025
- On The Road with Mainebiz in Greenville
- On The Road with Mainebiz in Waterville
- + More
Award Honorees
- 2025 Business Leaders of the Year
- 2024 Women to Watch Honorees
- 2024 Business Leaders of the Year
- 2023 NextUp: 40 Under 40 Honorees
- 2023 Women to Watch Honorees
- 2023 Business Leaders of the Year
- + More
- 2022 NextUp: 40 Under 40 Honorees
- 2022 Women to Watch Honorees
- 2022 Business Leaders of the Year
- Nomination Forms
- Calendar
- Biz Marketplace
Updated: August 5, 2019
How to manage legal risks when outsourcing business functions to the cloud
By Eric Langland
In today’s cloud-enabled world, business functions are commonly outsourced to service providers. To perform their services, service providers often need to collect and process your employee or customer personal data. While the benefits of outsourcing these functions are clear (lower costs, scalability, better performance), the legal liability associated with keeping this data safe does not always transfer with the data to the cloud-based service provider. The legal landscape in the United States is a mosaic of state, federal, and industry-specific data privacy and security laws, many of which place responsibility on the business even when a service provider misuses or loses data. Here are some steps a business can take to reduce its legal risks when outsourcing business functions to the cloud.
1. Create standards
Before entering into a relationship with a service provider, take a step back and ask yourself a couple of questions. What type of data am I sending to the service provider? What are the promises I make to my employees and customers? What is the potential financial and public fallout from a data breach? What are my legal requirements and what are the standards regulators, shareholders, customers, or employees hold me to?
Once you have an understanding of your standards, sit down with your IT team and draft a data security questionnaire for prospective service providers. A good questionnaire should reveal where service providers store data, the security measures in place, whether they’ve had any recent “security incidents,” the use of subcontractors, third party audit results, and information about their cyber insurance policy.
2. Clauses in the agreement
Once you have an understanding of the service provider’s security measures, turn to the master services agreement (MSA), which governs the performance of the services. Typically, the MSA will have a “representations and warranties” section, where each party makes promises and assertions to the other party. Among other things, you should ask the service provider to “represent and warrant” that its collection, use, storage, processing, disclosure and disposal of your data complies with applicable laws. If the service provider’s answers to your questionnaire reveal any gaps, you should include additional security measures in the MSA that the service provider must enact. Do not expect to get everything you ask for. Implementing security measures to satisfy one customer can be expensive and time consuming for service providers. However, you will never get contractual terms that you do not ask for.
3. Data breach procedures
The MSA should include a clause that requires the service provider to notify you immediately after any suspected security breach. It should also demand the service provider take steps to fix the breach, assist with notifying third parties, and pay for costs associated with recovering the data. While the service provider may rebuff some of your demands, it is better to discuss breach procedures now rather than in the midst of an actual security incident when both parties are scrambling to respond.
4. Indemnification
Who is responsible if your data is stolen from the service provider? The long answer lies in 50 different state data-breach laws, a handful of federal statutes and the terms of your MSA. Even if your service provider is statutorily on the hook for a data breach, your company may still be sued by customers, employees, shareholders, or regulators that claim your business was negligent in selecting its service provider. Seek an indemnification provision in the MSA whereby your service provider defends and indemnifies you for claims and losses related to third-party harm resulting from the service provider’s failure to comply with its security obligations, or from the unauthorized disclosure of your data.
Eric Langland, an attorney at Bernstein Shur, focuses on negotiating IT service provider agreements and building data privacy and cybersecurity compliance programs.
The views expressed are those of the author and do not necessarily reflect the views of the firm or its clients. This article is for general information purposes and is not intended to be and should not be taken as legal advice. He can be reached at elangland@bernsteinshur.com
0 Comments