Posted by Sequel on May 11, 2012
Topic: Data Security
Tags: cloud computing, Data Security
The Claim that Cloud Computing will Solve all Your Data Security Problems

It really bugs me that businesses are signing up for cloud computing services (“CCS”)  before considering whether the CCS’s contract and service levels actually capture what is promised in advertising claims like this:

Web attacks and retribution campaigns are on the rise, and they have become more frequent, more random and more extreme. Distributed cloud services are an effective means to protect against evolving, modern-day IT threats.

This statement doesn’t look offensive but it made me mad … First, cloud services are not necessarily more effective than your traditional in-house IT environment (many CCS service level agreements barely commit to a specific amount of up-time, never mind security commitments). Second, a CCS will NOT stand beside you, sharing liability, in the event there is a breach.  CCS contracts generally disclaim any liability caused by a third-party, i.e. a hacker – even if that hacker got in because of the CCS’s negligence in maintaining the system.  They are not liable.

If you have an existing agreement with a CCS, go and look closely at your agreement.  Is liability for third party acts carved out?  (If you have a provider that accepts liability for a hack that occurs as a result of the providers’ negligence in maintaining the system, please let me know and I will post the names of that provider on our website for everyone’s benefit!)

WHY IS THIS A BIG DEAL?

Plainly stated, if you experience a loss or misuse of your customers’ data while it’s being stored on a Cloud service, you are in potentially big financial trouble. How big? Industry experts agree that you will be looking at a minimum of $200 per record. This represents just the costs of complying with the various statutory notice requirements.  The $200 per record figure does not take into account potential fines that might be levied by regulatory agencies after an investigation.  The ultimate cost of a data breach is likely to be much more.  In 2011, according to several independent studies, the average cost of a data breach was between $5 and $7 million.

With so much at stake, you really need to know what your CCS is willing to do for you in the event of a breach.  You are likely to find out that claims, such as the above, are flat-out wrong from a legal perspective for at least three reasons.

First, the legal liability for securing your customers’ or patient data is always and solely yours. Nothing you do can shift that responsibility. All you can do is make sure your CCS is willing to make you financially whole to the extent that the cause of the breach is the fault of the CCS.

Second, not one of the CCS agreements I’ve seen even offers to cover you if data you have stored with them is compromised by their own negligence. You heard right. Even if the breach is their fault, they won’t indemnify you for your potentially massive liability. Their Service Level Agreements (SLAs) and Terms of Service (TOS) probably make a lot of grand-sounding claims about uptime and access to your data. They probably even offer to give you credit for downtime on their servers. All of those agreements are nice but essentially meaningless when it comes to the huge financial exposure you have for loss or misappropriation of customer data.  Credit for downtime does not cover a loss of between $5-7 million.

Third, even to the extent that you can get your CCS to address the question of data assurance, you’ll find their promises aren’t as good as you need them to be. They use vague expressions like “commercially reasonable maintenance” and “applying best known patches” and “following industry standard practices” (of which there are essentially none anyway). As far as I can tell, all CCSs are following the same playbook in this respect. I suspect they’ll continue to do so as long as market conditions permit.

The Legal Landscape

As if it weren’t bad enough that CCS’s contracts are silent on the issue of data assurance liability, in the United States there is no single Federal statute that tells you what you should do to prevent a breach and how to respond if there is one. Several states have already enacted their own legislation on the subject and more are beginning to consider doing so.

Forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. That’s 49 different jurisdictions, each requiring you to notify individual customers residing there that their data might have been compromised. Complying with the simple notification requirement might end up costing you millions of dollars. And that’s before civil (and in some cases criminal) penalties and possible litigation.

It is important to note here that it is not the state where your business is located or the states where it is licensed to do business that determines this requirement. If you have a customer in a state, you must comply with that state’s notification requirement.

Just to make things more interesting, many of these state statutes also impose other requirements. The Massachusetts law, e.g., imposes no fewer than eight specific steps you must take if data belonging to one of its residents is compromised by a security breach regardless of where your company is located. The Internet knows no boundaries.

Add to this confusing and frightening picture the European Union’s regulations, which are far more pro-individual rights and sweeping than anything on the books in the United States. For example, there is at this writing legislation pending in Brussels at the EU headquarters that would impose global liability for data breaches even for companies not based in the EU. Significant fines (in the 5-10% range on your company’s global gross revenue) are under serious consideration.

So What Should You Do?

The first step you should take is to conduct a careful assessment of your data security requirements and potential liabilities.  As an example, you are not in the clear just because you are not storing customer credit card information. Recent statutes are very protective of ANY personal data, including corporate data.  Evaluating what data you are storing and what the law says you should be doing to protect it puts you in a position to take the next step.

The second step is to develop a plan of action and a set of policies and procedures for protecting data and dealing with breaches. Prioritizing this plan to focus on the most-bang-for-the-buck approach is important because even the largest corporations probably can’t anticipate and plan for every eventuality. This is a case where the more effort you show to comply with laws and common sense, the lower your liability is likely to be in the event of a breach. In the absence of data assurance standards, it’s important to do what you can to prevent data breaches and to deal intelligently with their aftermath.

The third step is to have your attorney review any agreements you have or are considering with CCSs. At a minimum, they can probably make the relationship around data assurance better. Will you get the CCS to agree to 100% indemnification? Not in the current climate, but an attorney can get more protections in an agreement than you’re likely to be able to without counsel.

Finally, you’ll want to obtain insurance to cover as much of your high-limit exposure as is commercially reasonable. If you’ve taken the first three steps, you may well find that the cost of such insurance drops considerably and becomes affordable even for a small to medium-sized business.

Comments are closed.