Contracting with cloud service providers has long been a world shrouded in fog. Across various organizations, cloud service agreements (CSAs) are all over the place, and often many people entering into these contracts have no idea what provisions they should have to protect their data.
According to a recent survey by Forrester Research, “cloud agreements are often missing key considerations.” In the survey of 467 small and medium-sized businesses and government entities, 48% said that they wished they would have included more security requirements in their CSAs and 41% said they wished they would have included more requirements to protect privacy.
The Forrester survey involves more sophisticated actors who already realize that something might be missing from their CSAs. There are many out there who don’t even know what might be missing and who think their CSAs are just fine when, in fact, their CSAs are woefully inadequate.
Significant guidance is needed to improve this landscape and bring more order to the chaos. Fortunately, a new standard — ISO/IEC 19086 – provides this much-needed guidance.
Why Do Cloud Service Level Agreements Matter?
Cloud Service Agreements matter. They matter because they are at the front line of protecting the privacy and security of personal data.
Many organization use cloud services to store personal data. The people to whom this personal data pertains are often not direct parties to these contracts. These people supply their data to an organization, and they have no involvement in the agreements that these organizations make with cloud service providers.
Although people are not direct parties to these contracts, the privacy and security of their personal data is only as strong as that provided by the cloud service provider. If an organization has an inadequate CSA with a cloud service provider, then customer data will not be sufficiently protected.
Lawsuits and Regulatory Sanctions
The negligence and other wrongdoing of cloud service providers can lead to violations of law and data breaches. An organization will be liable for the failings of its cloud service providers.
Additionally, in In re GMR Transcription Services Inc. (Jan. 31, 2014), the FTC has concluded that failing to adequately choose, contract with, and oversee a data service provider is an unfair and deceptive trade practice under Section 5 of the FTC Act. According to the FTC, GMR failed to “require [its service provider] by contract to adopt and implement appropriate security measures to protect personal information.”
The FTC didn’t see this situation as involving merely an arrangement between two companies. Consumers were caught in the middle, and the FTC ensured that their interests would not be lost in the shuffle. For more details about FTC enforcement regarding inadequate CSAs, see my essay, The FTC and Privacy and Security Duties for the Cloud.
Moreover, not only does an organization owe a duty to consumers to appropriately represent their privacy and data security interests in the negotiation, but cloud service providers have an obligation to the consumer as well and cannot enter into contracts that lack adequate protections and controls.
Thus, adequate CSAs are essential to protecting personal data, complying with privacy and security laws, and following regulatory obligations.
Problems With Cloud Service Agreements
Unfortunately, many CSAs are not adequate. There are several common problems that occur with CSAs.
Lack of Knowledge
Many individuals who enter into CSAs with cloud service providers lack sufficient knowledge about what provisions and protections should be included in a CSA. At some organizations, there may be individuals with varying levels of knowledge and experience in negotiating CSAs. At other organizations, there may be nobody with sufficient knowledge to be able to negotiate an CSA.
Negotiating an CSA is not akin to negotiating any ordinary contract. Knowledge of the appropriate privacy and security protections is essential.
For example, a study conducted by Fordham School of Law’s Center on Law and Information Policy revealed that contracts between K-12 school districts and cloud service providers lacked essential terms for the protection of student data. According to the study, 95% of school districts surveyed were using cloud service providers, but the majority had poor CSAs. CSAs “would often contain misleading or inappropriate provisions.” Sometimes vendors would “include a term specifying that the vendor would not cause the district to fall out of compliance with FERPA,” a clause which “inappropriately gives the district the impression that FERPA requirements are satisfied.”
Only 25% of the agreements “gave districts the right to audit and inspect the vendor’s practices with respect to the transferred data.” A quarter of the agreements failed to prohibit or limit “re-disclosure of student data or other confidential information.” And none “specifically prohibited the sale and marketing of children’s information.” Other access and confidentiality rules of FERPA were also not accounted for in these agreements. A third failed to “provide for the deletion of student data at the conclusion of the contract.” And “[o]nly one agreement (12.5%) required the vendor to notify the district in the event of a data security breach.”
Lack of Bargaining Power
Another problem is a lack of bargaining power. Many organizations contracting with cloud service providers are contract takers not contract makers. Even when organizations might ask for reasonable provisions in a CSA, they might not have the power to get everything they want. Without a clear standard to point to, organizations might readily concede certain key protections.
The Forrester Research survey includes some very interesting findings about people’s regrets about CSAs they entered into. Many of those surveyed indicated that they would have wanted greater privacy and security protections.
Also, as the report indicates, most CSAs omit key provisions for the protection of privacy and security, so those surveyed were justifiably regretful. This study was of people sophisticated enough to know that their CSAs were falling short. There are many other people out there who have no idea that their CSAs are not up to snuff.
Lack of Internal Coordination
Larger organizations often have greater bargaining power and individuals with sufficient knowledge about what to include in an CSA. But there still are problems. Often various departments and many different individuals are entering into CSAs with many different cloud service providers. Fragmented organizational approaches to contracts with third party vendors involving data can lead to tremendous inconsistency.
Knowledge often isn’t shared, so those lacking sufficient knowledge aren’t benefitting from those who have such knowledge. A lack of centralization means that each CSA will be negotiated separately, without any set of standards and often without much guidance. The result is that large organizations have some adequate CSAs but also have some inadequate ones.
ISO 19086 — Much Needed Guidance
A new standard just recently issued, ISO/IEC 19086-1: 2016, seeks to provide common guidance about what should be included in CSAs. This standard is greatly needed as it will address the problems I listed above. The standard will help those who lack knowledge about what terms to include in an CSA. The standard will help address the bargaining power problem because organizations can point to the standard as a baseline for what provisions the CSA should contain. And the standard will help deal with lack of internal coordination by providing a common standard that all can follow.
The standard includes the following content areas:
4. PII Protection
5. Information Security
6. Termination of Service
7. Cloud Service Support
9. Service Changes
10. Service Reliability
11. Data Management
12. Attestations, Certifications, and Audits
Key parts of an CSA include ensuring for data security and the protection of privacy of PII, as well as how termination of the service will be handled. Far too often, CSAs fail to adequately address what happens when the service is terminated.
As the Forrester Research survey found, there is a lot of work to be done to get organizations to meet the ISO 19086 standard. Many key elements of the standard aren’t included in CSAs. See the infographic below.
But now that there is a standard, the road is now paved for significant improvement.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.