Cloud Risk: Do You Transfer Liability Along with Data?
Many of us were using data clouds before we even knew what they were. Now, while most of us are comfortable with the concept, we may not be comfortable knowing who is liable when data is lost, damaged or breached. It’s not a given that your cloud provider absorbs any liabilities, and it’s not a given they can even afford the liability should it arise. Below are quotes from an article by Scott Godes, Kara Cleary, and Heidi Fessler of Barnes & Thornburg LLP on the subject, and a link to their complete article.
Godes, Cleary, and Fessler list several cloud-related risks: data breaches, data loss, interruption of access, compromised credentials and broken authentication, and denial of service. But two other categories for concern are:
#1. BYOC, or Bring Your Own Cloud. Employees may be innocently using productivity applications that store work data on non-company clouds, in effect, “bringing their own clouds” to the workplace.
#2. Multi-Tenancy. This involves risks posed when unrelated cloud users are sharing the same computing resources.
“Both the cloud provider and the user must be aware of system and data security to prevent a breach in the security. In addition, when a risk is realized, it may not always be clear who is at fault for the system or security failure.
“There are a lot of misconceptions around the cloud and liability,” the Barnes & Thornburg attorneys write.
“Many companies assume that along with the transfer of their data, they have also transferred their risk to the cloud provider,” they say. “Absent a clear agreement that shifts liability to the cloud provider, the practical reality is that in most cases, there’s very little protection in terms of liability with cloud providers, unless parties are willing to engage in protracted litigation to determine otherwise. The shifting of liability is not nearly as easy as the transfer of data and often it may be the case that the responsibility for a data breach rests with the party that collected and maintained the data originally. Perhaps the most notable exception has been in the healthcare industry, where companies providing support often are classified as ‘business associates’ under HIPAA and might be subject to the same obligations for protecting data as the entity with the original patient relationship. Even here, one could argue that liability transfer does not occur, but rather a liability expansion that includes the cloud provider.”