Issue link: https://nebusinessmedia.uberflip.com/i/1150436
V O L . X X V N O. X V I I A U G U S T 5 , 2 0 1 9 34 B Y E R I C L A N G L A N D H OW TO I n today's cloud-enabled world, business functions are commonly outsourced to service providers. To perform their services, service providers often need to collect and process your employee or customer personal data. While the benefits of outsourcing these functions are clear (lower costs, scalabil- ity, better performance), the legal liabil- ity associated with keeping this data safe does not always transfer with the data to the cloud-based service provider. e legal landscape in the United States is a mosaic of state, federal, and indus- try-specific data privacy and security laws, many of which place responsibil- ity on the business even when a service provider misuses or loses data. Here are some steps a business can take to reduce its legal risks when outsourcing business functions to the cloud. 1. Create standards Before entering into a relationship with a service provider, take a step back and ask yourself a couple of questions. What type of data am I sending to the service provider? What are the promises I make to my employees and customers? What is the potential financial and public fallout from a data breach? What are my legal requirements and what are the standards regulators, shareholders, cus- tomers, or employees hold me to? Once you have an understanding of your standards, sit down with your IT team and draft a data security question- naire for prospective service providers. A good questionnaire should reveal where service providers store data, the security measures in place, whether they've had any recent "security incidents," the use of subcontractors, third party audit results, and information about their cyber insur- ance policy. 2. Clauses in the agreement Once you have an understanding of the service provider's security measures, turn to the master services agreement (MSA), which governs the performance of the services. Typically, the MSA will have a "representations and warran- ties" section, where each party makes promises and assertions to the other party. Among other things, you should ask the service provider to "represent and warrant" that its collection, use, storage, processing, disclosure and disposal of your data complies with applicable laws. If the service provider's answers to your questionnaire reveal any gaps, you should include additional security measures in the MSA that the service provider must enact. Do not expect to get everything you ask for. Implementing security measures to sat- isfy one customer can be expensive and time consuming for service providers. However, you will never get contractual terms that you do not ask for. 3. Data breach procedures e MSA should include a clause that requires the service provider to notify you immediately after any suspected security breach. It should also demand the service provider take steps to fix the breach, assist with notifying third parties, and pay for costs associated with recovering the data. While the service provider may rebuff some of your demands, it is better to discuss breach procedures now rather than in the midst of an actual security inci- dent when both parties are scrambling to respond. 4. Indemnification Who is responsible if your data is sto- len from the service provider? e long answer lies in 50 different state data- breach laws, a handful of federal stat- utes and the terms of your MSA. Even if your service provider is statutorily on the hook for a data breach, your com- pany may still be sued by customers, employees, shareholders, or regulators that claim your business was negligent in selecting its service provider. Seek an indemnification provision in the MSA whereby your service provider defends and indemnifies you for claims and losses related to third-party harm resulting from the service provider's failure to comply with its security obligations, or from the unauthorized disclosure of your data. Eric Langland, an attorney at Ber nstein Shur, f ocuses on negotiating IT service provider agreements and building data privacy and cybersecurity compliance programs. e views expressed are those of the author and do not necessarily reflect the views of the firm or its clients. is article is for general information purposes and is not intended to be and should not be taken as legal advice. He can be reached at elangland @ bernsteinshur.com Manage legal risks when outsourcing business functions to the cloud We specialize in helping Maine and New Hampshire businesses grow, with loans of all types, generated through our local credit union partners. And because we're not a bank, we're able to offer better terms and greater flexibility. Our streamlined process will get you the money you need in a timely way. Whether you're looking to borrow $50,000 or $20,000,000, come in and talk to us first. Are you tired of working with virtual lenders? EQUIPMENT LOANS COMMERCIAL REAL ESTATE LOANS BUSINESS EXPANSION & ACQUISITION LOANS 866.736.2804 | mainebls.com Hello? Our local lending team is focused on you. Back Row L to R: Russ Cole - CEO and President, Will Hatt - Senior VP and COO, Rebecca Walker - Senior Lending Assistant, Wendy Luce - Commercial Lending Assistant, Kristie Dunn - Senior Credit Analyst, Melissa Simpson - Risk and Compliance Offi cer, Adam Levine - Credit Analyst, Glen Carter - Credit Analyst, Front Row L to R: Christy Davalli - VP Commercial Lending, Dave McElwain - VP Senior Lender, Don Smith - AVP Commercial Lending, Al Moroney - VP Commercial Lending