When considering engaging a cloud services provider, we recommend that the liability for any breaches reside with the entity controlling the data, as those in control are in the best position to prevent or mitigate any losses. Furthermore, as data breaches can be extremely expensive and can include costs to notify those affected, to recreate lost data, and to make whole anyone who suffered a financial loss following leaked data, it is prudent to require vendors carry insurance to match the potential liability, as their assets alone may be insufficient to cover claims.
Our insurance recommendations for any vendor or firm collecting, storing, processing, transmitting or otherwise handling Harvard Level 3 or 4 information, including cloud services providers, can be found here.
More research on the current costs of data breaches, insurance as a risk management tool, and Harvard's cyber liability coverage are available below.
Harvard Cyber Insurance Coverage Summary (PIN Required)