Does Adoption of Cloud Computing Shift Cyber Liability Risk?

Cloud computing has become attractive for several reasons. First, the software company providing SaaS maintains its computer software. In addition, its cloud computing platform provider maintains the hardware and network infrastructure. As a result, the corporate customer is spared the costs of acquiring, operating and maintaining a computer facility of its own. Often this is the right thing to do because the company providing the cloud computing platform is better suited to maintain a computing facility than the corporate customer and the SaaS service provider is better suited to installing upgrades and bug-fixes to its software. Second, the typical SaaS licensing arrangement is a usage-fee based structure. Some are based on the number of users, others on the size of the database. Typically, SaaS licenses have some kind of recurring fee, that is, a set fee per year times the number of users (or other usage metric). This is in contrast with traditional software licensing for internal use at the corporate customer: typically a set of perpetual licenses that are per-user, and then an annual support fee per user. Overall, the industry view is that a move to SaaS takes software costs from a capital expense profile, with large up-front costs, to an expense time profile that correlates over time with the growth of the corporate customer's business. In many cases, this is financially beneficial to corporate customers.

Cloud Computing Agreements Shift Cyber-Liability Risk

There is a potential hidden cost to the adoption of cloud computing: The companies offering the cloud computing platform service typically shift the risk of data loss or disclosure onto their customer. Another way to look at it is that when corporations operate their own computing facility, they hold the liability risk of a data disclosure incident. While they may outsource the costs of the computing facility by moving to a cloud computing solution, they may nevertheless still hold that data liability risk. A brief review of the End User License Agreements (EULA) for several popular cloud computing platform services shows that by contract, the cloud computing platform customer typically holds this risk, not the cloud platform provider.

Amazon Web Services states explicitly in '3 of its EULA that it will “implement reasonable and appropriate measures ' to help you secure your Content ',” which is the responsible thing to do. However, should it breach that standard of care, its contract states at '11: “We ' will not be liable to you for any direct, indirect damages ' including ' loss of profits, goodwill, use or data.” It disclaims all warranties, makes no indemnities and has a warranty disclaimer with no exceptions. One wonders whether the exclusion of all damages for breach of the agreement makes the contract a nullity for failure of consideration.

Google Drive takes a similar position to Amazon Web Services. In Google's EULA, there are no warranties other than those expressly made, but it states that “to the extent permitted by law, we exclude all warranties.” Google's EULA recites a limitation on liability that doesn't exclude direct damages, and it does not provide indemnities and the EULA caps liability at the amount the customer has paid Google. In addition, the provision on limitation on liability excludes lost profits, revenues, “data [and], financial losses ' .”

Apple's iCloud service, which is a cloud data storage facility typically used by iPhone, iPad and iMac users, offers similar risk allocation terms. Apple's EULA disclaims all warranties “express or implied.” Its EULA includes a limitation on liability that excludes direct, indirect damages and lost profits. Apple does not offer any indemnities.

Microsoft 365, which is Microsoft's new direction for delivering Microsoft Office software, has become more popular. Microsoft 365 is a SaaS offering of Office software as a service. Microsoft has a EULA that has a complete warranty disclaimer, express or implied. Microsoft does not provide an indemnity and caps its liability at one month's service fees. Given Amazon, Google and Apple's position on the question of risk allocation, it is not surprising that Microsoft follows suit and does not offer up better risk allocation terms.

This risk shift is opposite to what would be expected: In this case, the risk of data loss or disclosure is shifted toward those parties with less control over how to address it, while normally one would expect the risk to be shifted to those that can ' the cloud platform service providers. But there are things that the cloud computing customer should do to ameliorate this risk.

Consider and Address The Risk

It is highly recommended that the cloud computing customer consider how to evaluate and ameliorate the risk of data loss or disclosure when evaluating the adoption of a cloud computing platform service. There are several approaches that should be used. First and foremost is considering the type of data being hosted remotely. Some types of data are less sensitive than others, and this may inform the strategy that applies to a particular case. For example, financial data subject to certification for Securities Act purposes is likely more sensitive than anonymized click-stream use data ' and whether either data set goes into the cloud may depend on the quality of the in-house compute facility and its security as compared to that of the cloud platform solution. These factual considerations have to be evaluated as part of the cloud computing outsourcing transaction.

Second, negotiation of contract terms to shift risk back to the cloud platform service provider may be possible. The EULAs described above might be negotiable with a sufficiently large guarantee of revenue from the corporate customer. Nonetheless, that the EULAs described above are the default contractual documentation suggests that the customer of the cloud platform service has to be vigilant that its personnel are not relying on “click through” agreements to contract these services without the advice of legal counsel. Further, new SaaS services that are customers of a cloud computing platform service should try to renegotiate their contracts with the service as soon as there is growth of their usage metric: Cloud service fee revenue growth provides negotiating leverage because it is the justification for the cloud computing services' competitive pricing strategy.

Third, the cloud computing customer should consider purchasing cyber liability insurance against the risk of data loss and disclosure. The costs of the insurance policy should be considered along with the costs of the cloud computing solution in order to fully understand the costs and benefits of a cloud computing solution. However, the insurance policy coverage has to be revisited periodically because the potential liability risk may scale with the size of the corporate customer's data set, i.e., the number of its retail customer identities that are stored on the cloud platform provider's servers. Therefore, the insurance coverage amount may have to grow with the customer's business. It is also important to obtain the correct insurance policy ' one that specifically calls out cyber liability coverage that includes hacking as well as negligence and one that will cover acts by or against the insured's contractors. Consider that a New York court ruled that a loss arising from a computer system data leak due to a hacker was not covered by a general liability insurance policy. In Zurich American Insurance v. Sony Corp. of America, the Supreme Court of the State of New York held that a commercial general liability policy did not cover data loss arising from a criminal act by a third party because the provision covering liability for “publication” covered only publication by the insured, not publication resulting from the hack. Zurich Am. Ins. Co. v. Sony Corp. of Am., No. 651982/2011, appeal withdrawn 127 A.D.3d 662 (1st Dept. 2015).

Conclusion

Outsourcing the compute facility to a cloud platform service does not necessarily shift cyber liability away from the customer. Therefore, when evaluating cloud computing solutions, the low prices offered by cloud computing platform services have to be evaluated along with the costs of ameliorating the allocation of cyber liability risks. In addition, companies should be vigilant that their employees are not relying on click-through agreements that have not been reviewed by counsel in order to store the company's data on these cloud computing platform services. The “free” service may have hidden costs for the company.

Ted Sabety is the founder of Sabety +associates, an intellectual property and technology law firm located in New York. This article also appeared in our ALM sibling, New York Law Journal.