Does Adoption of Cloud Computing Shift Cyber Liability Risk?
The rapid adoption of cloud computing has attracted companies that seek to lower their information technology costs. At the same time, it is reported that there has been an increase in data loss and an increase in cyber-liability claims against companies—some of it from an increase in criminal acts like hacking. But the biggest vendors in the cloud computing industry want to push the risk of penetration of their systems onto their customers adopting the technology—those far removed from control of the hardware and network platforms on which cloud computing relies. This shift of cyber liability risk away from the cloud computing platform providers and onto their customer may be a result of competitive pricing in the cloud computing platform service industry. Some in the industry consider the liability risk associated with retail customer data disclosure to be approximately $2,000 per customer data record. This is a large number when one considers that corporate customer databases could easily have 100,000 data records with names, addresses, credit card numbers and other information in them. Therefore cloud computing customers have to consider how to ameliorate the risk of cyber liability despite having outsourced their compute infrastructure to the cloud. Cloud Computing Has Become Highly Popular.
"Cloud computing" is a term that refers to a computer system architecture where users of a software package use their local computers to access a remote server computer operating the software, typically using the World Wide Web that accesses a webpage hosted on that server. Typically, the server operating the software is located outside the confines of the corporate computer network perimeter and beyond its network firewall. The users' data is stored on the remote server or some remote data repository associated with the remote server. The software architecture is engineered so that users of the software from different corporate customers can use the software (and their data) independently but at the same time. Software made accessible to corporate customers in this manner is called "Software as a Service" (SAAS). The corporate customer is reliant on the software-as-a-service provider (SAAS) to operate and maintain the software and the customer's database. The SAAS provider is also a customer of the cloud computing platform service for the servers and networking on which their software service relies. While the corporate customer's data is stored outside the perimeter of the corporate network on a server that neither customer has direct control over, there are advantages to operating corporate information technology infrastructure this way.
Cloud computing has become attractive for several reasons. First, the software company providing SAAS maintains their computer software. In addition, their cloud computing platform provider maintains the hardware and network infrastructure. As a result, the corporate customer is spared the costs of acquiring, operating and maintaining a computer facility of its own. Often this is the right thing to do because the company providing the cloud computing platform is better suited to maintain a computing facility than the corporate customer and the SAAS service provider is better suited to installing upgrades and bug-fixes to their software. Second, the typical SAAS licensing arrangement is a usage-fee based structure. Some are based on the number of users, others on the size of the database. Typically, SAAS licenses have some kind of recurring fee, that is, a set fee per year times the number of users (or other usage metric). This is in contrast with traditional software licensing for internal use at the corporate customer: typically a set of perpetual licenses that are per-user, and then an annual support fee per user. Overall, the industry view is that a move to SAAS takes software costs from a capital expense profile, with large up-front costs, to an expense time profile that correlates over time with the growth of the corporate customer's business. In many cases, this is financially beneficial to corporate customers.
Cloud Computing Platform Agreements Shift Cyber-Liability Risk to the Customer. There is a potential hidden cost to the adoption of cloud computing: The companies offering the cloud computing platform service typically shift the risk of data loss or disclosure onto their customer. Another way to look at it is that when corporations operate their own computing facility, they hold the liability risk of a data disclosure incident. While they may outsource the costs of the computing facility by moving to a cloud computing solution, they may nevertheless still hold that data liability risk. A brief review of the End User License Agreements (EULA) for several popular cloud computing platform services shows that by contract, the cloud computing platform customer typically holds this risk, not the cloud platform provider. Amazon Web Services states explicitly in §3 of their EULA that they will "implement reasonable and appropriate measures … to help you secure your Content … ," which is the responsible thing to do. https://aws.amazon.com/agreement/. However, should they breach that standard of care, their contract states at §11: "We … will not be liable to you for any direct, indirect damages…including … loss of profits, goodwill, use or data." They disclaim all warranties, make no indemnities and have a warranty disclaimer with no exceptions. One wonders whether the exclusion of all damages for breach of the agreement makes the contract a nullity for failure of consideration. Google Drive takes a similar position to Amazon Web Services. In Google's EULA, there are no warranties other than those expressly made, but they state that "to the extent permitted by law, we exclude all warranties." https://www.google.com/policies/terms/. Google's EULA recites a limitation on liability that doesn't exclude direct damages, and they do not provide indemnities and the EULA caps liability at the amount the customer has paid Google. In addition, the provision on limitation on liability excludes lost profits, revenues, "data [and], financial losses … ."
Apple's iCloud service, which is a cloud data storage facility typically used by iPhone, iPad and iMac users, offers similar risk allocation terms. http://www.apple.com/legal/internet-services/icloud/en/terms.html. Apple's EULA disclaims all warranties "express or implied." Their EULA includes a limitation on liability that excludes direct, indirect damages and lost profits. Apple does not offer any indemnities.
Microsoft 365, which is Microsoft's new direction for delivering Microsoft Office software, has gotten more popular. Microsoft 365 is a SAAS offering of Office software as a service. Microsoft has a EULA that has a complete warranty disclaimer, express or implied. https://www.microsoft.com/en-us/servicesagreement/. Microsoft does not provide an indemnity and caps their liability at one month's service fees. Given Amazon, Google and Apple's position on the question of risk allocation, it is not surprising that Microsoft follows suit and does not offer up better risk allocation terms.
This risk shift is opposite to what would be expected: In this case, the risk of data loss or disclosure is shifted towards those parties with less control over how to address it, while normally one would expect the risk to be shifted to those that can—the cloud platform service providers. But there are things that the cloud computing customer should do to ameliorate this risk.
Cloud Computing Customers Must Consider and Address the Risk. It is highly recommended that the cloud computing customer consider how to evaluate and ameliorate the risk of data loss or disclosure when evaluating the adoption of a cloud computing platform service. There are several approaches that should be used. First and foremost is considering the type of data being hosted remotely. Some types of data are less sensitive than others, and this may inform the strategy that applies to a particular case. For example, financial data subject to certification for Securities Act purposes is likely more sensitive than anonymized click-stream use data—and whether either data set goes into the cloud may depend on the quality of the in-house compute facility and its security as compared to that of the cloud platform solution. These factual considerations have to be evaluated as part of the cloud computing outsourcing transaction.
Second, negotiation of contract terms to shift risk back to the cloud platform service provider may be possible. The EULAs described above might be negotiable with a sufficiently large guarantee of revenue from the corporate customer. Nonetheless, that the EULAs described above are the default contractual documentation suggests that the customer of the cloud platform service has to be vigilant that its personnel are not relying on "click through" agreements to contract these services without the advice of legal counsel. Further, new SAAS services that are customers of a cloud computing platform service should try to renegotiate their contract with the service as soon as there is growth of their usage metric: Cloud service fee revenue growth provides negotiating leverage because it is the justification for the cloud computing services' competitive pricing strategy.
Third, the cloud computing customer should consider purchasing cyber liability insurance against the risk of data loss and disclosure. The costs of the insurance policy should be considered along with the costs of the cloud computing solution in order to fully understand the costs and benefits of a cloud computing solution. However, the insurance policy coverage has to be revisited periodically because the potential liability risk may scale with the size of the corporate customer's data set, i.e., the number of its retail customer identities that are stored on the cloud platform provider's servers. Therefore, the insurance coverage amount may have to grow with the customer's business. It is also important to obtain the correct insurance policy—one that specifically calls out cyber liability coverage that includes hacking as well as negligence and one that will cover acts by or against the insured's contractors.
Consider that a New York court ruled that a loss arising from a computer system data leak due to a hacker was not covered by a general liability insurance policy. In Zurich American Insurance v. Sony Corp. of America, the Supreme Court of the State of New York held that a commercial general liability policy did not cover data loss arising from a criminal act by a third party because the provision covering liability for "publication" covered only publication by the insured, not publication resulting from the hack. (651982/2011, appeal withdrawn, Zurich Am. Ins. Co. v. Sony Corp. of Am., 127 A.D.3d 662 (1st Dept. 2015).
In conclusion, outsourcing the compute facility to a cloud platform service does not necessarily shift cyber liability away from the customer. Therefore, when evaluating cloud computing solutions, the low prices offered by cloud computing platform services have to be evaluated along with the costs of ameliorating the allocation of cyber liability risks. In addition, companies should be vigilant that their employees are not relying on click-through agreements that have not been reviewed by counsel in order to store the company's data on these cloud computing platform services. The "free" service may have hidden costs for the company.