Liability and Risks in Cloud Computing

Stephen DeAngelis

November 29, 2011

In a post entitled Business Heads for the Clouds, I briefly touched on the subject of liability and promised to explore the topic further in a later post. The subject was raised by two Gartner analysts, Drue Reeves and Daryl Plummer, who ask several important questions: Is Cloud Computing too big to fail? [Financial Times, 17 October 2011] They wrote:

Liability – it’s a word you don’t hear in most cloud discussions, but you might want to start introducing the topic. In the cloud world, questions of who’s liable for business failures and how much compensation can be expected are often overlooked. So, how do you know if you’re covered or not? The issue is concentration risk and stacked liability. What if one cloud provider got so many big companies (or companies in an industry) and then failed? Could this affect us all? Could it affect the economy? Could a cloud provider become ‘too big to fail?'”

Interesting questions all. They went on to write, “A wise man once said, ‘Be wary of providers willing to take on any amount of liability because they actually guarantee none.'” They continue:

“Some providers act like they have nothing to lose, but, as the saying goes, you can’t get water from a rock. And as we all know, rocks are notorious for not volunteering information — similar to how cloud providers won’t (or can’t) share how much liability they are taking on or can afford.”

If Gartner analysts are thinking about liability, you can bet that a number of high-priced lawyers also have the topic on their minds. Both providers and clients would be smart to give the matter a little thought. Along with Reeves and Plummer, you might be asking, “Liability for what?” They explain:

“Consider lost business opportunities, lost data and lost customers – and that’s just a start. Cloud providers take on a great deal of responsibility when they ask you to give up yours. Someone has to be accountable in the end.”

Reeves and Plummer report that, in common practice, there are essentially two approaches that are being used to address liability. The first approach limits the liability of the provider. They write:

“First is the provider that states its limit of liability. These providers generally offer very little financial guarantee in the event of failure, but at least they set a benchmark for what to expect.”

David Rosenbaum, senior editor for technology at CFO Magazine, puts it this way, “You want your cloud provider to share security risk. Your provider wants to limit its liability. The result is a negotiation.” [“Cloud Control,” 1 September 2011] We’ll return to Rosenbaum’s thoughts later. If your provider doesn’t want to negotiate, you’re left with the second approach used by some cloud service providers — stony silence. Reeves and Plummer write:

“Second are the providers that make no clear statement of their liability or your own. This means the consumer is on the hook for almost all liability, while the provider fancies itself a ‘trustworthy protector of consumer interests.'”

Many businesses find themselves in a “damned if you do and damned if don’t” situation. They want better security for their data (which many believe can be obtained by using cloud services); but, on the flip side, the biggest thing they fear about the cloud is security. John Bussey reports that many small- and medium-sized businesses are migrating to the cloud because they are “attracted chiefly by cost savings and service but increasingly by security as well.” [“Seeking Safety in Clouds,” Wall Street Journal, 16 September 2011] At the same time, he reports that “72% of small businesses … and 63% of mid-sized companies … [indicate that] security [is] their chief worry.” He explains why some companies believe their data is more secure in the cloud:

“Basic security tasks that often don’t get done at a small enterprise—updating antivirus programs or applying patches to software—are usually part of the plain-vanilla package in the cloud. The more you pay, the more you get: firewalls around your data, high-end encryption, ‘private clouds’ that let you isolate critical information and still access extra processing muscle when you need it, hacker-attack notification and mitigation, and 24-hour tech support.”

Bussey acknowledges that “the cloud is no Fort Knox and can cut both ways on security.” He explains:

“Multiple users of a given server can create multiple entry points for hackers. If the cloud provider’s security is weak and if basic Internet hygiene is sloppy at businesses whose files cohabitate with yours, then you may get infected too. Hackers also love multiple targets in one setting, which the cloud provides. A cloud host could actually make your data more vulnerable.”

Returning to the topic of liability, Reeves and Plummer raise another concern: chained liability. They write:

“Chained liability … happens when cloud service providers use other providers in a chain of dependency to deliver a service. Sometimes these chains extend six or seven service providers deep, and this long lineup is sometimes hidden from the end consumer. As a result, issues like location of the service, security, and terms and conditions of the underlying service aren’t easy to see. And that means that any one of these ‘hidden’ service providers could cause the overall service to fail. If that happens, who would be held accountable – the original service provider? Maybe, but ask yourself this: Are rocks likely to get a lot more talkative tomorrow? In the case of an acquisition, is the acquiring provider required to honor the acquired provider’s service-level agreement (SLA)? Or if you’ve negotiated better terms than the boilerplate, is the acquiring cloud service provider required to honor that contract? You could make the case, or even write into a contract, that the acquiring provider should honor any existing terms, but, then again, the provider may simply decide not to renew it. Here’s the rub: On any of these issues, when there’s a conflict between the consumer and the cloud service provider that can’t be resolved, the matter may end up in a courtroom.”

That’s a scary thought. Before discussing what could happen at trial, let’s return to what Rosenbaum has to say about negotiating with cloud service providers. He reports that “a significant majority of 127 cloud-computing service providers surveyed believe it is their customers’ responsibility to secure the cloud, not theirs.” Why? The answer, of course, is liability concerns. He provides, as an example, Amazon’s statement of liability. He writes:

“Amazon Web Service’s Terms and Conditions, for example, state that it will ‘have no liability…for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.'”

Not very comforting is it? Rosenbaum claims that “the ramifications could be huge.” He explains:

“That’s because the cloud — which enables companies to outsource everything from e-mail to ERP and then access it all through a browser — is inherently insecure. The same ease of access that makes it appealing also makes it vulnerable. Yet many non-tech-savvy buyers of cloud services are not adequately aware of the security issues, says James Reavis, director of the nonprofit Cloud Security Alliance.”

Rosenbaum then asks the $64,000 question: “How can you protect your company in this new, risky business?” As an interesting side note, Rosenbaum provides a case study involving a company called RightNow. RightNow was deciding between two cloud-service providers: NetSuite and Oracle. The company selected ;NetSuite and went through a lengthy negotiation with the company over liability. The company’s CFO told Rosenbaum, “You want your vendor to have skin in the game.” The case study is interesting because, since the article was written, the company that wasn’t selected, Oracle, acquired RightNow. Getting back to the question at hand, Rosenbaum discusses some basic security measures that any good cloud service provider should have in place. To read more on that subject, see my post entitled The “Big Data” Dialogues, Part 8: Cybersecurity. He then discusses legal issues involved. He writes:

“In terms of vetting cloud providers, [Andrew W. Klungness, a partner at law firm Bryan Cave,] advises CFOs to make sure their provider is solvent and carries insurance. ‘A financially sound vendor is likely to be there when you turn on the lights Monday morning,’ he says. ‘Check breach incidents and lawsuits against them, and ask for customer references.’ And ‘make sure the contract provides for disaster recovery,’ adds Klungness. ‘If your provider goes down, you should have a plan for getting your data out, and a backup provider ready to go. Make sure the vendor is aware of your auditing obligations. Even if you’re only hosting e-mail, if you mention Sarbanes-Oxley and get a blank stare, it’s time to ask more questions. The more it’s clearly documented that you’re telling a vendor what to do, the better your position if a regulator starts asking questions. It shows good faith and due diligence.’ Klungness also recommends that clients ‘get contracts where there are meaningful credits or refunds. If service goes down, you want to get a portion of your money back or a proration of your fees.”

On that last point, Klungness admits that getting “a vendor to compensate you for business loss” is very difficult. “The risk-reward profile of that type of indemnification,” he writes, “is very poor.” Just as importantly, “if a vendor is willing to stick its neck out to that extent, you may be dealing with an unstable vendor.” Rosenbaum indicates that there is another legal issue that companies should consideration that involves the issue of discovery. He explains:

“Daniel Garrie, managing director of ARC E-Discovery Dispute Resolution, and a court-appointed Special Master in governance and e-discovery cases, notes that, ‘global corporations have to deal with complex issues of data retention in the cloud. For example, how long do you have to keep e-mails? If you don’t plan strategically for adopting cloud, you may fail to realize that they’re keeping your e-mails for a year instead of, say, 90 days. Then you get sued and you have e-mails popping up you thought were gone. And then you have to provide them.’ That can get very sticky. As Garrie explains, ‘Can you ask your provider for 20 million e-mail messages spread out over hell and gone? And what about the metadata [data about data; for example, the revision history, whether it was printed out, all the times it was viewed, and so on] coming with the e-mail? If the provider can’t supply it, that could be a big problem. In adversarial litigation processes, destruction of metadata is considered spoliation of evidence, and you can’t just say to the judge, “The cloud ate my evidence.”‘”

Rosenbaum concludes his article with some advice from Larry Ponemon, chairman of the Ponemon Institute.

“‘First,’ he says, ‘make sure the provider has the right security environment in place. Do they have good data-loss prevention technology? How are encryption keys managed? Does the company vet its custodians? Does it do background checks? Does it train its employees in security, and what is that training? The vendor may think training is just sending out an e-mail. Find out what their training consists of. You should be able to audit your provider whenever, wherever,’ he says. ‘You should visit the data centers. If you see printouts scattered everywhere, that’s not good. Find out who’s in the cloud with you. If the provider has an insecure customer, that makes you less secure. If the provider has an insecure provider, that also makes you less secure.’ And bear in mind, he says, that ‘your provider should have written policies — a fire drill — for how they respond to a data breach, and how they inform you about one.’ The cloud is new, and it’s risky. But the very fact that it’s new and risky, Ponemon believes, should give CFOs the upper hand in cloud negotiations — and the ability to walk away if they feel their needs are not being met. ‘There are a lot of sellers of cloud services out there,’ says Ponemon. ‘It’s a buyer’s paradise.'”

The issue of liability is important for a number of reasons. Clients, of course, don’t want to absorb all of the costs of a security breach and neither do the providers. Earlier Reeves and Plummer indicated that liability cases could end up court. The worst case scenario, they believe, is a liability case that awards a client such a settlement that it “breaks the cloud computing model.” They write, “Providers would then be forced to accept so much liability that they can’t stay in business without raising prices dramatically, or consumers may be forced to live with too much risk that it’s not worth the trouble to use the cloud at all.” They then ask, “So, what can you do about it?”

“One answer might be to acquire cyber risk insurance, which covers cyber events such as loss of service, data confidentiality breach and cyber extortion. However, cyber risk insurance isn’t a panacea either. For one thing, it’s expensive. A $10m policy costs $100,000 to $300,000. Yet, even with the high cost, the policy limits are too low to cover IT liability for large companies. So, one choice is to stack insurance to achieve enough liability coverage to protect yourself from a cyber risk event. … But be forewarned that cyber risk insurance policies are steeped in ‘legalese’ that is often hard to interpret, especially for small to midsize businesses. … What happens if the insurer doesn’t mitigate its own risk (e.g., takes on too many policy holders to maximise profits)? What if the insurer fails or defaults on a policy holder making a claim? The answer is that the consumer has to deal with a failed policy and insurers that won’t sell a policy to anyone at a reasonable price.”

Reeves and Plummer conclude, “For today, cloud computing is a liability risk for providers, consumers and insurers. The question is, how much risk are you willing to absorb, and how much risk to a provider becomes risk to us all? Is cloud computing too big to fail? Perhaps it’s too big not to.” Most analysts agree that cloud services are going to become an increasingly important part of the business landscape. They believe that the benefits far outweigh the risks. Nevertheless, risks do exist and companies need to do everything they can to mitigate the consequences when bad things do happen. Good solutions will only emerge if clients and providers collaborate with, rather than confront, one another. For good or ill they are in the cloud together.