The decline in cloud computing privacy and security protections has gradually picked up pace over the last two years. With the advent of the novel coronavirus, COVID-19, the early months of this year have accelerated that pace. Businesses are now learning hard lessons about the reliability and responsibility of their cloud providers when it comes to privacy and security protections.
Don’t get me wrong. Almost every cloud provider can produce truly impressive marketing materials and, even, contractual commitments with regard to privacy and security. But when the rubber meets the road, very few providers are actually willing to assume any real liability if they fail to comply with those commitments. During audits, regulators in financial services and healthcare have made clear security/privacy protections without material liability results in illusory protection and is not consistent with exercising reasonable care in the protection of sensitive data.
A recent example will highlight the problem. A well-known cloud provider, through its own gross negligence, wiped out the data, both production and backup, for a number of their customers. The entire database for each customer was rendered unrecoverable. The customers were left having to engage in the laborious, time-consuming, and extremely expensive task of having to reconstruct those records by hand. In wiping out the data, the cloud provider breached its customer contract in several ways, but, as the provider was quick to point out, its liability for resulting damages was strictly limited in its standard agreement, leaving the customer with no real remedy.
The foregoing example points up one of the most substantial problems and trends we are seeing in cloud engagements: vendors who appear to offer outstanding security and privacy protections, but then limit their liability for violation of those protections, even if by gross negligence, to a trivial amount. In fact, two very well-known cloud providers attempt to limit their liability for every breach of contract, including data breach, to zero damages in their form agreements. They accept no responsibility whatsoever for their failures.
Another alarming trend is the very recent approach used by some cloud providers to absolve themselves of all liability (i.e., zero damages) for their third party hosting vendors. That is, the cloud provider can subcontract the entire operation of its data center to a third party and thereby avoid any liability if that third party suffers a data breach, incurs substantial down-time, fails to have adequate disaster recovery/business continuity procedures and plans, etc. Worse yet, if that happens, the customer is not permitted to terminate its contract with the original cloud provider. The customer, having had its data compromised, must continue to pay for a faulty service through the entire remainder of the term of its contract with the original cloud provider.
To complement their refusal to assume material liability for their obligations, a growing number of cloud providers are taking the unprecedented step of offering their services, even those involving hundreds of thousands of dollars in fees, as entirely “as-is,” with no warranties or performance obligations at all. The customer is, in essence, signing on to pay for a service that need never work, never be available, be entirely insecure, etc. If pressed on this point, the providers seem genuinely shocked that a customer might want or need actual performance obligations.
Yet another change in cloud contracting is the multi-national nature of many providers. This means a business’ highly sensitive data may, without its knowledge or consent, be transmitted, stored, and accessed anywhere in the world, including locations that have little or no laws respecting the protection of data. This creates a very substantial concern for regulated entities like healthcare providers and financial institutions.
Finally, there are the most recent risks created by COVID. These include the use of minimal, skeleton onsite staffing at hosting locations and the authorization of remaining vendor personnel to work remotely, frequently from unsecure locations or using public Wi-Fi. It is not uncommon for remote workers to access sensitive systems and data using shared home computers or computers in rooms with other individuals present who can view the worker’s screen. In some instances, sensitive information is printed via unsecure printers and the hardcopies not disposed of in a secure manner.
COVID also creates the perfect storm of businesses under duress because of the limited resources available to them to continue to conduct business and the siren song of cloud providers. Under these circumstances, many businesses are choosing to take the plunge and move more operations to the cloud. Unfortunately, moving those operations, particularly if they are critical or involve highly sensitive information, could present very substantial risk. If something goes wrong, the business may be left with little or no real remedy.
What, then, is a business to do to protect themselves? The key is in truly understanding the risks presented by a potential cloud engagement, including how those risk are (or are not) mitigated in the proposed contract. In some cases, the risks simply cannot be mitigated, but must be accepted. Better, however, to accept those risks knowingly, than to discover them only after an adverse event has occurred (e.g., performance failure, security breach, misuse of data, etc.). In other cases, identifying the risks early and having a clear conversation with the vendor about them, may result in at least some ability to mitigate those risks. The earlier in the potential engagement to have that discussion, the better. Waiting until the “sale is done”, will leave the vendor with little or no interest in negotiating. If, however, they believe they may lose a sale, they will be more inclined to negotiate.
Unfortunately, all too often, businesses become fixated on a particular cloud provider and leave themselves no room to find an alternate if appropriate protections cannot be negotiated. This is the single greatest errors we see in negotiating cloud agreements. It is not unusual for an initial negotiation call to begin with the customer’s business person stating that “we need to get this solution in place by next month or we will be in great trouble.” Saying something like that will leave the customer with virtually no negotiating ability. As noted above, the vendor must believe they can lose the sale before reasonable terms may be capable of negotiation. Don’t give up that leverage.
It bears point out that not all cloud providers are created equal. While, as noted above, a growing number offer little more than illusory protection to their customers, there remain a large number of providers that truly “get it”. They value their customers, listen to their concerns, and offer solutions and contract terms to address those concerns. A case in point: while many cloud providers are scrambling to find ways to absolve themselves of any real responsibility in their contracts, one of the most well-known providers offers unlimited liability for data breaches in their standard, unmodified customer agreement. Why do they do that? Because they know it distinguishes them from the rest of the pack. They know data is one of the most important assets of their customers and want to show they take their obligation to protect that data seriously.
In summary, cloud computing can be cost-effective and of tremendous benefit to most businesses. Know the risks, however, before entering into a new engagement. Ask what liability the vendor really has, particularly for critical performance failures and data breaches. Check disclaimers of liabilities and warranties carefully to determine if they undermine or, as likely, render largely useless security and privacy protections. Nail down where your data will be hosted and accessed. Try to identify vendors that truly do appreciate their customers and make a real commitment to stand behind the contractual protections they offer. Finally, never buy into the common vendor ploy of saying “trust us, we’ve never had a failure or a breach of security, you don’t need those contract protections.”