Thanks to its economic viability and relative ease of implementation, cloud technology has become an increasingly popular choice among charities for data storage; however the risks involved are not always fully understood by trustees.
Cloud computing relationships are often complex and data can be held across a number of different jurisdictions, with varying degrees of compliance. Some trustees have only just begun to understand concerns over access to their data if it is being held for example, in America, following the introduction of the American Patriot Act back in 2001.
It may sound obvious, but once a third party provider is involved in managing data, trustees no longer have absolute control over what happens to it.
With responsibility for maintaining the security of that data firmly with trustees, it is essential that they are fully aware of how much control they actually have over their data and what the consequences of having a third party involved may be. For example, trustees could be held responsible for security breaches that they weren’t even aware of – potentially on the other side of the world.
One of the key issues is that, in many cases, trustees do not really know where their data is being held. While they may have a contract with an immediate third party, there is often a chain of providers sitting behind the contract that trustees are unaware of.
An important consideration that is often overlooked is what would happen if the cloud provider should go out of business.
While trustees might have processes in place to review the charity’s own internal systems, the implications of not being able to access data in the long-term as a result of a third party provider’s failure are not always considered.
Indeed, with any third party in place, the security issues at risk are automatically widened. If, for example, the cloud provider is hacked or has security issues, the impact on the charity could be significant.
So what can trustees do to protect themselves and the charity?
A good starting point would be to undertake a proper due diligence exercise before entering into any cloud relationship and to review any existing cloud agreements with equal rigour.
This exercise will typically review the number of providers in the cloud chain, the jurisdictions that are covered and which provider is responsible for the data, security and any potential data loss.
It should also examine the financial stability of the cloud provider and an assessment of its business continuity plan.
The outcome of this exercise will allow trustees to enter a more robust service level agreement. Typically, such agreements will encompass the areas identified in a due diligence exercise and should deal with compensation payments for any breaches in the contract, such as the loss of access to data for a prolonged period of time.
More importantly, trustees need to be kept informed of any changes to their original agreement.
It is quite common for the providers in the cloud chain to change over time and for service level agreements to be out of date within a few years. In the ever evolving world of technology, trustees should not assume anything.
If some of the world’s biggest corporations such as Sony, Microsoft and Google can be caught out, charities certainly can.
Anjali Kothari is a not-for-profit partner at the accountancy firm Kingston Smith and treasurer of the Charity Law Association