Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Does Adoption of Cloud Computing Shift Cyber Liability Risk?
The rapid adoption of cloud computing has attracted companies that seek to lower their information technology costs. At the same time, it is reported that there has been an increase in data loss and an increase in cyber-liability claims against companies ' some of it from an increase in criminal acts like hacking. But the biggest vendors in the cloud computing industry want to push the risk of penetration of their systems onto their customers adopting the technology ' those far removed from control of the hardware and network platforms on which cloud computing relies. This shift of cyber liability risk away from the cloud computing platform providers and onto their customers may be a result of competitive pricing in the cloud computing platform service industry. Some in the industry consider the liability risk associated with retail customer data disclosure to be approximately $2,000 per customer data record. This is a large number when one considers that corporate customer databases could easily have 100,000 data records with names, addresses, credit card numbers and other information. Therefore, cloud computing customers have to consider how to ameliorate the risk of cyber liability despite having outsourced their computer infrastructure to the cloud.
Cloud Computing's Popularity
Typically, a cloud provider's software architecture is engineered so that users of software residing on its server from different corporate customers can use the software (and their data) independently but at the same time. The customer is reliant on the software-as-a-service provider (SaaS) to operate and maintain the software and the customer's database. The SaaS provider is also a customer of the cloud computing platform service for the servers and networking on which their software service relies. While the corporate customer's data is stored outside the perimeter of the corporate network on a server over which neither customer has direct control, there are advantages to operating corporate information technology infrastructure this way.
Cloud computing has become attractive for several reasons. First, the software company providing SaaS maintains their computer software. In addition, their cloud computing platform provider maintains the hardware and network infrastructure. As a result, the corporate customer is spared the costs of acquiring, operating and maintaining a computer facility of its own. Often this is the right thing to do because the company providing the cloud computing platform is better suited to maintain a computing facility than the corporate customer, and the SaaS service provider is better suited to installing upgrades and bug-fixes to their software. Second, the typical SaaS licensing arrangement is a usage-fee based structure. Some are based on the number of users, others on the size of the database. Typically, SaaS licenses have some kind of recurring fee, that is, a set fee per year times the number of users (or other usage metric). This is in contrast with traditional software licensing for internal use at the corporate customer: typically a set of perpetual licenses that are per-user, and then an annual support fee per user. Overall, the industry view is that a move to SaaS takes software costs from a capital expense profile, with large up-front costs, to an expense time profile that correlates over time with the growth of the corporate customer's business. In many cases, this is financially beneficial to corporate customers.
Cloud Computing Agreements Shift Cyber-Liability Risk
There is a potential hidden cost to the adoption of cloud computing: The companies offering the cloud computing platform service typically shift the risk of data loss or disclosure onto their customer. Another way to look at it is that when corporations operate their own computing facility, they hold the liability risk of a data disclosure incident. While they may outsource the costs of the computing facility by moving to a cloud computing solution, they may nevertheless still hold that data liability risk. A brief review of the End User License Agreements (EULA) for several popular cloud computing platform services shows that by contract, the cloud computing platform customer typically holds this risk, not the cloud platform provider.
Amazon Web Services states explicitly in '3 of its EULA that it will “implement reasonable and appropriate measures ' to help you secure your Content ',” which is the responsible thing to do. However, should it breach that standard of care, its contract states at '11: “We ' will not be liable to you for any direct, indirect damages ' including ' loss of profits, goodwill, use or data.” It disclaims all warranties, make no indemnities and have a warranty disclaimer with no exceptions. One wonders whether the exclusion of all damages for breach of the agreement makes the contract a nullity for failure of consideration.
Google Drive takes a similar position. In Google's EULA, there are no warranties other than those expressly made, but it states that “to the extent permitted by law, we exclude all warranties.” Google's EULA recites a limitation on liability that doesn't exclude direct damages, it does not provide indemnities, and the EULA caps liability at the amount the customer has paid Google. In addition, the provision on limitation on liability excludes lost profits, revenues, “data [and], financial losses ' .”
Apple's iCloud service, which is a cloud data storage facility typically used by iPhone, iPad and iMac users, offers similar risk allocation terms. Apple's EULA disclaims all warranties “express or implied.” Its EULA includes a limitation on liability that excludes direct, indirect damages and lost profits. Apple does not offer any indemnities.
Microsoft 365, which is Microsoft's new direction for delivering Microsoft Office software, has become more popular. Microsoft 365 is a SaaS offering of Office software as a service. Microsoft has a EULA that has a complete warranty disclaimer, express or implied.'Microsoft does not provide an indemnity and caps its liability at one month's service fees.
This risk shift is opposite to what would be expected: In this case, the risk of data loss or disclosure is shifted toward those parties with less control over how to address it, while normally one would expect the risk to be shifted to those that can ' the cloud platform service providers. But there are things that the cloud computing customer should do to ameliorate this risk.
Address the Risk
It is highly recommended that the cloud computing customer consider how to evaluate and ameliorate the risk of data loss or disclosure when evaluating the adoption of a cloud computing platform service. There are several approaches that should be used. First and foremost is considering the type of data being hosted remotely. Some types of data are less sensitive than others, and this may inform the strategy that applies to a particular case. For example, financial data subject to certification for Securities Act purposes is likely more sensitive than anonymized click-stream use data ' and whether either data set goes into the cloud may depend on the quality of the in-house computer facility and its security as compared with that of the cloud platform solution.
Second, negotiation of contract terms to shift risk back to the cloud platform service provider may be possible. The EULAs described above might be negotiable with a sufficiently large guarantee of revenue from the corporate customer. Nonetheless, that the EULAs described above are the default contractual documentation suggests that the customer of the cloud platform service has to be vigilant that its personnel are not relying on “click through” agreements to contract these services without the advice of legal counsel. Further, new SaaS services that are customers of a cloud computing platform service should try to renegotiate their contracts with the service as soon as there is growth of their usage metric: Cloud service fee revenue growth provides negotiating leverage because it is the justification for the cloud computing services' competitive pricing strategy.
Third, the cloud computing customer should consider purchasing cyber liability insurance against the risk of data loss and disclosure. The costs of the insurance policy should be considered along with the costs of the cloud computing solution in order to fully understand the costs and benefits of a cloud computing solution. However, the insurance policy coverage has to be revisited periodically because the potential liability risk may scale with the size of the corporate customer's data set. It is also important to obtain the correct insurance policy ' one that specifically calls out cyber liability coverage that includes hacking as well as negligence and one that will cover acts by or against the insured's contractors. Consider that a New York court ruled that a loss arising from a computer system data leak due to a hacker was not covered by a general liability insurance policy. In Zurich American Insurance v. Sony Corp. of America, the Supreme Court of the State of New York held that a commercial general liability policy did not cover data loss arising from a criminal act by a third party because the provision covering liability for “publication” covered only publication by the insured, not publication resulting from the hack. Zurich Am. Ins. Co. v. Sony Corp. of Am., No. 651982/2011, appeal withdrawn, 127 A.D.3d 662 (1st Dept. 2015).
Conclusion
Outsourcing the computer facility to a cloud platform service does not necessarily shift cyber liability away from the customer. Therefore, when evaluating cloud computing solutions, the low prices offered by cloud computing platform services have to be evaluated along with the costs of ameliorating the allocation of cyber liability risks. In addition, companies should be vigilant that their employees are not relying on click-through agreements that have not been reviewed by counsel in order to store the company's data on these cloud computing platform services. The “free” service may have hidden costs for the company.
Ted Sabety is the founder of Sabety +associates, an intellectual property and technology law firm located in New York.
How Secure Is the AI System Your Law Firm Is Using?
What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
COVID-19 and Lease Negotiations: Early Termination Provisions
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
Authentic Communications Today Increase Success for Value-Driven Clients
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.
The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.