May 6, 2015
Liability: The Hidden Complexity In The Cloud
Some clouds are darker than others. There’s no question that we need them for the sake of the environment that we now live in, but hidden deep in the dark depths of those condensed clusters floating above us up there in cyberspace, there is monsoon potential for catastrophic downpours of all sorts of liability issues that can leave a company drowning in its own data legalities.
Clouds are continuously inflating all over the globe as an increasing amount of organisations are turning to the storage repositories to meet their business computing needs. Indeed, according to Verizon’s state Of The Market: Enterprise Cloud 2014 Report, 65% of enterprises are already utilizing cloud services to some extent – and this figure is only set to grow in the years that follow.
With the greater power, convenience and productivity that the cloud enables, there is a trade off in terms of liability issues.
If you are using the cloud for the purposes of storing data (which, indeed, is the primary function of cloud services, so, if you’re in the cloud, then you will be), there inevitably comes an aspect of responsibility for that data which you store.
You will have customer data in the cloud, payment data, contact information, some of your key business data, your accounts, your payroll, your tax information – all of this is extremely sensitive stuff, and, as such, you expect the highest levels of security to be in place in efforts to protect it.
But what happens when the security fails and there’s a breach? Who is responsible – is it you or the cloud service provider? What were the terms concerning the allocation of risk when you signed the contract with your CSP? Indeed, what did your clients or customers sign when they handed over their data to you in the first place? What did you promise them?
If there’s a breach, then you can bet your bottom dollar that they are going to want to know. And you can bet your bottom dime that your cloud service provider is going to do everything it can to see that it is you and not them who is liable – such is the nature of liability in the business space.
And so, it is imperative that you start doing your homework right now so that you can be sure that you are protected should the unthinkable happen, and I want to use this post to talk about some of the most pressing cloud computing liability issues, namely contacts, and, exactly what SMEs are often faced with when choosing a cloud service provider.
This is where it starts. If you’re in business, then you will of course be very well aware of the complexities of contracts. It’s all in the interpretation of the wording, as we all know, and sometimes those interpretations can be extremely subjective should things ever go awry.
Many SMEs start to look to the cloud for the purposes of scaling their business. And the cloud certainly offers some exciting opportunities to do just that. Often, it can be the case that when searching for the best deal that offers the most relevant features that will be of use to your business, liability issues can be completely overlooked.
A lot of cloud service providers, for instance, like to boast about the strengths of their security systems. And, to be fair, many of them will be just as strong as they profess. However, what’s left largely unsaid, for obvious reasons, when you’re reading through the bullet-pointed list of security features – anti-virus, anti-malware, firewall protection, data-recovery and so on – is what happens should a breach actually occur.
Well, it might be that in the small print of the contract, the risk of storing your data and your customer’s data on your cloud service provider’s servers remains with you – i.e. the liability is yours.
This is potentially a serious issue.
When you decide upon a cloud service provider, most of the time you will very quickly stroll through the ‘clickwrap agreement’ – and this is where the important details of your contract will lie, though quite often people will fail to take proper heed of the small print.
The cloud is so popular for SMEs a lot of the time for precisely this very reason. There is an extremely low barrier to entry for the cloud, which, although it makes for a very democratizing service, is, at the same time, extremely segmentary.
The large corporation will have a large legal budget. Any contracts that are signed – or indeed clickwrapped – will be scrutinized thoroughly, and, in order to acquire the new big business, CSPs will often quite willingly bend on their liability terms to onboard a high-end client.
Not so for the SME, unfortunately, and the clickwrap agreement is legally enforceable. If you freely click to agree to a set of terms and conditions, then it carries the same weight in a court of law as if you were to freely put your signature next to something.
Publicly available cloud computing contracts will often offer the best deals, and therefore make themselves the most attractive to SMEs on a budget. However, these will frequently limit the liability of the cloud service provider to a level that is not at all in line with the potential risk that it comes with.
If presented with a clickwrap agreement or when otherwise signing a contract with a CSP, look out for paragraphs that contain something like the following:
“Neither we nor any of our licensors shall be liable to you for any direct, indirect, incidental, special, consequential or exemplary damages, including, but not limited to, damages for loss of profits, goodwill, use, data or other losses.”
If you sign an agreement containing these words, or something similar, then you are liable for anything that happens to that data whilst it’s with your CSP. So, find out if you have made a clickwrap agreement to this effect, and start taking measures now to better protect yourself should a breach strike.
To Whom Does The Data Belong?
Answer: the customer.
What The Law Says
If your CSP suffers a breach, then, as Bloomberg articulates, “the state and federal legal obligations to notify affected individuals apply to the customer as the owner of the data, not the cloud provider.”
To be fair to CSPs, this is a fact that you will do well to remember. At the end of the day, it is your data that you are dealing with, and so it is arguably reasonable that cloud service providers want to deflect as much risk as is associated with it as possible.
However, for some, this argument shouldn’t, in all fairness, stand up.
When you put money in your bank account, for instance, and the bank gets robbed – whom do you think is liable? The bank, of course. And rightly so. You’re entrusting your hard-earned funds to the security (and insurance policy) of your bank. If it takes a hit, then it’s reasonable to expect the bank to absorb the loss.
And so the same theory should surely apply to cloud storage. You are essentially ‘banking’ your sensitive data with your cloud service provider, whom you assume will be responsible for protecting it.
But, of course, data is more unique than credit – and potentially more valuable and damaging. Your CSP will of course be doing everything in their power to prevent a security breach. For one thing, their business depends on it – if all or some of their servers all of a sudden become compromised, then they’ve got a massive reputation loss to overcome, as well as any legal complications (if they haven’t successfully managed to divert all liability onto their customers, that is) and services to deal with and pay for.
But, at the end of the day, a CSP is not a bank. Data is not replaceable in the same way that credit is (one bunch of $100 bills is much the same as another as far as you’re concerned I’m sure – however, your customer and company information that’s stored on those servers is absolutely unique, and once it’s gone, it’s gone), and, as such, CSPs will want the liability to remain with you as the owner of that data, and not themselves as the temporary holders of it.
A Sticky Situation
The liability issue of cloud computing is one that has been around for some years already, and is not set to be solved any time soon. When it comes down to it, you need to be responsible and thorough when choosing a cloud service provider, and try to make use of one where the contract is not non-negotiable.
Indeed, you will undoubtedly find it difficult to source such a vendor, and when you do, you will be paying more for any extra levels of protection that you manage to acquire. However, you must be aware that CSPs will be extremely reluctant to take on any more liability, even if other areas of the contract are up for negotiation.
Cloud computing is safe, I would like to add as a final word, and certainly much safer in security terms than what the average SME could afford to implement in-house. But, nothing’s ever 100% infallible – that’s just a simple fact of life – and there will always be a certain amount of data breaches that occur in cloud computing. So, be prepared, work out the very best contract that you can, but you must analyze the risk involved in moving to the cloud before doing so, and always remember that in most case it is you who will be liable for any data that you pay to store, and not the cloud service provider itself.
Published by Igor Varnava, May 6, 2015