Cloud services – Guidance for managing cybersecurity risks

Éloïse Gratton August 23, 2020

Cloud services make information technology (IT) resources (e.g., networks, servers, software applications and data storage) and related services (e.g., hardware and software maintenance and technical support) available as a utility or consumption-based service. Cloud services enable an organization to outsource its IT requirements to a specialist cloud service provider (a CSP) who can provide required services in a better and more efficient and cost-effective manner. For those reasons, cloud services can provide significant benefits, but they can also present potentially significant risks.

An organization that uses cloud services to operate its business or provide products or services to its customers remains responsible and liable for legal compliance and performance of the organization’s legal obligations to investors, employees, customers and business partners. In addition, the organization is often dependent on the CSP and vulnerable to CSP misconduct, because the CSP usually has complete control over the quality and availability of the cloud service and physical custody of the organization’s business data, including the organization’s own sensitive/confidential data and third party data that is protected by restrictions/requirements imposed by contract, common/civil law or statute.

Those circumstances can present potentially significant risks to the organization, including risks relating to: (1) business continuity (if there are problems with the service or the CSP suspends or terminates the service); (2) data availability, integrity and confidentiality; and (3) legal compliance. Failure to manage those risks can result in various kinds of potentially significant claims and liabilities (e.g., lawsuits by shareholders, customers, employees and business partners, and investigations and enforcement proceedings by regulators) and losses (e.g., business disruption losses and reputational harm).

The Canadian Centre for Cyber Security has issued guidance for managing cybersecurity risks associated with cloud services. The guidance recognizes the significant benefits of cloud services, but cautions organizations to carefully assess and effectively manage the risks presented by cloud services. All organizations contemplating the use of cloud services can benefit from the Cyber Centre’s guidance.

Read Bradley Freedman’s bulletin on this guidance.

This content has been updated on August 23, 2020 at 10 h 38 min.

Éloïse Gratton

Privacy & Data Protection Law

Cloud services – Guidance for managing cybersecurity risks

Data governance and privacy risks in Canada: A checklist for boards and c-suite

An Update on New Québec Confidentiality Incidents and Record-Keeping Requirements

The inside scoop on how to become a privacy lawyer: 10 tips from the top

Preparing for the Privacy Reform in Canada

Getting Ready for Québec’s New Privacy Law in 2023 (Part 1): Using what we know so far

Getting Ready for Quebec’s New Privacy Law in 2023 (Part 2): Navigating uncertainty in the Law

Une fugitive recherchée depuis 30 ans, capturée à Berlin grâce à la reconnaissance faciale

CBC Windsor Morning Radio Show

La Cour suprême vient compliquer les cyberenquêtes

Une fugitive capturée à Berlin grâce à la reconnaissance faciale

Aide-mémoire en matière de protection de la vie privée et de sécurité des renseignements personnels

Lucky 7 data privacy and security cheat sheet