Incorporating your company’s incident response plan into its cloud computing contract
June 2016 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
Nearly every board of directors now understands that their company will suffer a cyber attack and, in some way, the company will need to respond to the attack and its public and private consequences. Accordingly, all companies need to prioritise the drafting, implementing and testing of a cyber incident response plan. This process includes identifying the company’s most vital data, introducing protections to that data, and crafting a complete response action plan for when a breach occurs. Without such a plan, even a minor intrusion could become a legal and practical problem.
At the same time, companies seeking to minimise information technology costs – in other words, all companies – are increasingly contracting for cloud computing services. Indeed, the use of infrastructure as a service (IaaS) cloud solutions is increasing at a dizzying pace. In an IaaS format, a cloud provider furnishes all of the necessary technology, including servers for computing, data storage capabilities, and networking to distribute and disperse the data. While companies may use these services differently, with some companies segregating sensitive data placed in the cloud, insisting on the use of a private cloud format, or restricting the movement of data to servers located in certain geographical regions, all of them share one thing in common – a contract that governs the arrangement and sets the rules for communication and liability. Now, cyber attacks may target the information at its company source, in transit, or once it arrives in the cloud. Regardless of the manner of the attack, however, both the company and cloud provider must be able to work together to respond and reduce threats going forward.
Most companies perform these two tasks, preparing for a cyber attack and contracting for cloud computing services, independent of one another. But savvy companies can get a head start on incident response by incorporating aspects of that plan in their cloud computing contract. In particular, at least three aspects of cloud computing contracts present an opportunity to improve incident response: (i) provisions governing communication, and timing of communication, in the case of a data breach; (ii) provisions relating to investigations into the cause of a data breach; and (iii) provisions requiring documentation and communication of documentation of steps taken in response to a data breach.
As to communication, every incident response plan calls for a small group of individuals, often led by the company’s general counsel or outside counsel, to implement measures designed to minimise the impact of a cyber intrusion. Similarly, every cloud computing contract contains a provision telling the provider what to do in the event of a cyber attack. Marrying these provisions can be difficult, but companies must, at a minimum, insist upon the naming of a security liaison by the cloud provider to work with a designated individual within the company when a cyber intrusion occurs. The importance of defining the lines of communication cannot be overstated. Indeed, if and when law enforcement gets involved (in the US, usually the Federal Bureau of Investigation or the Secret Service), companies should appoint a single point of contact to deal with them. And this point of contact must be able to command all of the facts, whether known to the company’s employees or those of the cloud provider.
This communication must also be confidential and productive. That means the information technology specialists within both the company and the cloud provider must understand the legal issues and risks associated with the data compromised or stolen. A contractual provision defining the crucial information and identifying the security liaison named by the cloud provider as a contact for counsel (whether in-house or outside) allows the company to argue that the attorney-client privilege extends to communications with the cloud provider concerning a data breach. In sum, the better a company clarifies and defines communication with its cloud provider (and other information technology vendors), the better that company will be situated to act decisively in response to a cyber intrusion and work effectively with both law enforcement and counsel.
As to investigations, identifying the cause of the cyber intrusion is an important part of an incident response plan, often involving the use of forensic techniques such as reviewing intrusion detection logs and interviewing witnesses. Cloud providers have their own investigation methods, usually incorporating outside auditors and dynamic security measures. Even the best and most precise contracting likely will not result in a single, collaborative investigation, but it can establish coordination with counsel and uniformity of approach. As noted above, empowering counsel to head up communication in response to a cyber intrusion improves the likelihood that a company will be able to execute its plan within the confines of the attorney-client privilege. Understanding the investigative method used by your company’s cloud provider, and contracting in such a way to arrange a congruent approach, allows your company to use similar techniques to maximise the compatibility of the information. In other words, when everyone is ‘speaking the same language’, better results usually follow.
As to documentation, the keys are real time communication and harmonious maintenance. Regardless of the origin of the data breach (and, ultimately, which party is responsible for it), the technical employees of the cloud provider and the company suffering the breach must be able to work together and document their understanding of the intrusion as it occurs. Logging each step of the response from discovery allows both the company and its cloud provider to make good decisions. Of course, to be useful, this documentation must be communicated in real time via the methods detailed above. This documentation must also be in a format that both parties can understand. A contractual provision can define the format to solve this potential problem.
Incident response plans are not meant to be static documents. They must be fully understood, practiced and designed for compatibility with a company’s interactions with third parties. This includes a company’s cloud computing provider. Certainly, friction can be expected when a cyber incident occurs resulting in a breach of data heading to or held within a cloud computing infrastructure. But precise contracting can minimise that friction and improve the speed and efficiency of containment by defining communication, coordinating the investigation and sharing documentation in real time.
John C. Eustice is a member of Miller & Chevalier Chartered. He can be contacted on +1 (202) 626 1492 or by email: jeustice@milchev.com.
© Financier Worldwide
BY
John C. Eustice
Miller & Chevalier Chartered