The cloud is everywhere, raining down apps and digital services on companies. The potential benefits are clear: more storage and portability of company information and customer data, as well as time and cost savings for management and employees. In a 2013 study from the Ponemon Institute and Thales e-Security, more than half of respondents said they put sensitive or confidential data in the cloud.

But do businesses that use the cloud know if important data is safe up there? There are several steps that companies can take in order to make sure they are protecting their confidential data—and minimizing liability—in the event of a cloud-based data breach.

Gytis Barzdukas, senior director of project management at cloud storage provider Mozy, part of EMC Corporation, told that in the fight against data breaches, the cloud is not the enemy. “How secure your data is has nothing to do with whether it’s in the cloud or not,” said Barzdukas. “It has everything to do with how and where it’s stored. Data needs to be encrypted, distributed and redundant.”

Mozy, he explained, keeps cloud data within the scope of data privacy laws by using military-grade encryption of users’ data and allowing customers to choose their own encryption key. “If you can render the data unidentifiable through appropriate levels of encryption, then you can normally store and process it in a compliant fashion,” Barzdukas said.

To solve the problem of cross-border compliance with data privacy laws, Mozy also has a global network of data centers, so that enterprise information never has to leave the region where it originates. This can be helpful for data-security law compliance purposes, because legal regimes may vary significantly between jurisdictions. “Because we own our own data centers, we can be sure of where the data is going,” Barzdukas said. “There are no third-party arrangements and no one in the chain is going to renegotiate a cheaper contract with a data center in Asia, for example, and change where your data is stored.”

Besides meeting technical data privacy standards, cloud computing and its role within an organization should be tailored to a company’s particular needs and its specific risk profile, David Katz, a partner at Nelson Mullins Riley & Scarborough and leader of the firm’s privacy and information security practice group, told

“It really requires the business to internally determine what its risk tolerances are for the data that they’re being given and they’re allowing access to,” he said. Making such a determination might not be easy for companies that have weaker governance systems for their data.

Ideally, according to Katz, a company lawyer should be at the table through the whole process of finding the right cloud services provider—from investigating the options, to purchasing the service, to integrating it into the company’s existing IT regime. Even if they can’t always be on hand, Katz emphasized the importance of in-house counsel building trusting relationships with other data-security stakeholders within the company. “I think they should continue to work to develop those personal relationships with everybody in the technology space in their organization so they can be perceived as a partner in moving that organization to the cloud, because there are legal and regulatory risks,” he said.

Negotiating contracts with cloud computing services is different than inking a deal with most third-party vendors, in that the brave new world of the cloud poses distinct technical difficulties and subtleties. Katz recommends bringing in specialized legal help for the contracting process and asking vendors to contractually agree to provide detailed information about its data breach protocols, should such an event occur and impact the company.

“Once the bad things happen, it becomes more and more difficult to get visibility or just understand what occurred,” he said. Katz also believes companies should contractually retain the right to send in an investigator or auditor after a breach of the cloud occurs, in order to sort out what went wrong and what effects the breach has had on the company.

One growing option for companies worried about a breach in the cloud is getting insured against it. Some have obtained cyberliability policies, which Collin Hite of law firm Hirschler Fleischer told may or may not cover cloud-based data breaches. While one might assume cyberliability insurance covers all cyber-related woes, cloud computing isn’t necessarily a part of a given policy.

“Cyberinsurance is new to the market, and everything is still kind of getting what I’ll call ‘formulated,’” said Hite, who is the leader of his firm’s insurance recovery group. He explained that cyberinsurance policies are evolving rapidly, just like the digital threats they cover, and haven’t been tested much in courts—so he’d advise that companies “try to protect your risk upfront in these situations.”

Regardless of whether the insurer of the cloud services provider or the insurer of the provider’s client takes on the most risk, Hite stressed, it’s important that companies with enough valuable data and higher risk profiles stay covered. “If all else fails, you should be able to look to your own insurance to provide the coverage,” he said.