A survey released this week at RSA is troubling in that it says businesses using cloud services are concerned about security, but don't verify what providers do to meet the security promises they make.

While most respondents to the Deloitte-Ponemon Institute survey who use cloud services say they include security requirements in service providers’ contracts, 82.6% say they have no program to check for compliance.

The problems with this are multi-layered. Valuable data could be lost, altered or stolen. Despite providers agreeing to protect the data in accordance with customer requirements, their failure to do so doesn’t lift responsibility for the data from the customer.

So if clients’ credit card numbers are compromised, the business that had those numbers stored in the cloud is still responsible. The legal liability is still theirs. They may be able to recoup some money from the provider, but that is after a long legal process.

If such data is compromised and must be reported publicly, the hit to the corporate reputation is just as bad and perhaps irreparable.

It is still important to have legal agreements with providers, but customers must take other steps.

* Verify that providers are taking appropriate measures to protect the data.

* Run a trial of the service and make sure data is protected, stored properly, even destroyed in accordance with corporate policy. Only after the service passes should it be deployed to an entire organization.

* Read boiler-plate contracts many providers try to get customers to sign. Many customers don’t.

Contracts with providers are still valuable, but they don’t in themselves protect the actual data.

Tim Greene is senior editor at Network World.