An accompanying proposed opinion provides a roadmap for effectively protecting against the risk of a data breach when contracting with a SaaS vendor. It lists 23 questions that "a lawyer should be able to answer sufficiently to conclude that the risk has been minimized." The questions examine whether the SaaS vendor has satisfactorily addressed the security issues implicit in cloud computing and whether the lawyers have probed sufficiently into the security systems.
The questions include whether the agreement with the vendor addresses confidentiality, how the data is protected and who has access to the data.
The North Carolina proposal recommends additional evaluation including inquiring about firewalls, encryption techniques, socket security features and intrusion-detection systems. And some experts suggest that this level of diligent inquiry be an ongoing process.
"Ensuring data security doesn't end after the initial due diligence review," says Jeff Davis, a shareholder at Vedder Price. He recommends regular professional reviews of vendor data security procedures.