Cloud provider liability limits are quite the paradox. On the one hand, most large providers are saying to customers,
"We accept no liability for business lost due to a breach in service." On the other, CIOs are loath to accept the financial risk of putting their company's data into a cloud. This standoff has to be resolved if the cloud is ever going to move beyond being a repository for non-mission-critical data, according to industry experts.
"There is definitely a disconnect between the liability that providers are willing to accept and the responsibility customers want them to take," said Julio Gómez, founder of Innovation Councils LLC in Concord, Mass., which brings CIOs from various industries together to strategize. The issue of cloud liability has come up on several occasions during council meetings, he said. "Generally, providers are only willing to refund [the fees] customers paid [for the service]. That's not going to fly in the market in the long run."
"In a way, I understand it," said Drue Reeves, director of research at the Burton Group in Midvale, Utah, who brought together a panel of lawyers and cyber insurance providers to discuss cloud provider liability limits at the Catalyst conference in San Diego last month. If large cloud providers were to accept a lot of liability for each of the tenants in a multitenant situation, their liability soon would be greater than the provider is worth, he said. Publicly held providers have to report liability, and no one would ever want to acquire them. Nor would providers be able to afford the cyber insurance premium to cover the liability, he pointed out. (For more on cyber insurance , check back later this week on SearchCIO.com).
"Liability has to be shared, and both parties have to be reasonable," Reeves said. "If you look at the cloud, it's built using technology we already have. We're going to solve the technical problems, which are real. It's the service portion that we haven't figured out yet, and liability is a huge part of that issue."
The terms and conditions of a provider's liability policy are boilerplate for customers clicking through a website with a credit card, but it's not an all-or-nothing situation for enterprises, according to Tanya Forsheit, a founding partner of the Information Law Group in Los Angeles. "You have to come up with ways to adjust limitations of liability that may be acceptable to the cloud provider," she said. Without established cloud computing law, "you have to have a negotiation."
Unfortunately, there is not a lot of jurisprudence available to guide the industry. Most cases involving large data breaches have been settled out of court, perhaps providing restitution but no judgments or precedents. The lawsuit that followed the infamous TJX Companies data breach, for example, was settled quietly for a cool $250 million. Within the next two years, a case is likely to come before a judge who will articulate the concept of harm as a result of a security compromise incident, Forsheit predicted. Until then, enterprises will need to push providers on the issue.
There's another distinction to be made between business-to-consumer services like Twitter.com and Facebook.com versus business-to-business (B2B) services like Salesforce.com and Amazon Web Services, said John Moss, vice president, deputy general counsel and head of commercial practices at Salesforce.com Inc. in San Francisco.
"As a B2B, we work with large companies and understand that we need to share the liability just a little bit," Moss said. Salesforce.com limits liability to basic, direct damages. "If it's down, maybe the [reimbursement amount] is going to be limited to the fees you paid for the service. Or if there's a data loss, maybe it's your out-of-pocket expenses, if you get sued by your customers," he said. "But we're not going to go toward what we call consequential damages -- things that are farther removed, like your loss of reputation or business."
Cloud provider liability limits: A legal gray area
Realistically speaking, customers don't expect to be fully indemnified, but they want the penalty to hurt providers enough that they get motivated to prevent failures, Gómez said. "The liability must be a deterrent to failure."
Customers don't expect to be fully indemnified, but they want the penalty to hurt providers enough that they get motivated to prevent failures. The liability must be a deterrent to failure.
Julio Gómez, founder, Innovation Councils LLC
"Negligence is complex, but it all comes down to what is objectively reasonable," Forsheit said. Some states require that if you have a service provider -- whether cloud or not, you put a provision in the contract to provide reasonable safeguards for personal information. Many contracts use the phrase "reasonable security" as a floor, she said, but added that very often the provider comes back to say, "Here's our policy. You tell us if you think it's reasonable."
Regulations such as the Health Information Portability and Accountability Act, or HIPAA, make it very clear who is responsible for notifying third parties when their data is hacked. The data owner, or cloud customer, is responsible, Forsheit said. Cloud customers may want to negotiate with the provider to pay the costs of notification.
The issues associated with liability limits -- including cyber insurance, global laws and the economic impact of a huge data breach -- have industry watchers wary of which way things will go. "We're in a progression of technology innovation, where we're only looking at the assets, capabilities and costs; but people are starting to realize there are higher consequences to a breach now than in 2005," said Drew Bartkiewicz, vice president of technology and new media markets for The Hartford Financial Services Group in New York. "2009 was a record year for data breaches, so we're not masters of our domain here. There's a growing sophistication in how things are being breached, through China, Latin America and Central Europe," he said. "I'm just predicting the consequences of error going forward are going to be much greater than they have been for the last ten years."
Moreover, international liability is "a nightmare," Forsheit said. There are no precedents or court opinions, and companies can't transfer data across borders unless they comply with the EU data protection directive and the implementing legislation, she said. That means safe harbor certification or model contract clauses for onward transfers. "You have to talk to your providers about that as well," she added.
Let us know what you think about the story; email Laura Smith, Features Writer.