B Due Diligence and ensuring adequate protection of data
The Distribute.IT hack indicates the importance for customers of ensuring their cloud provider can adequately protect their data and their interests – a concept known as ‘resiliency’. Patrick Stafford of Smart Company lists five lessons that cloud customers can take away from the hack: Grill your service provider, think twice about the cloud, don’t skimp on hosting (sign up with a trusted provider), get your security on track and keep up to date with security threats that may affect your business and your provider. Whilst these lessons are by no means new the Distribute.IT experience is a useful salutary tale as to the potential seriousness of the loss.
Australian Computer Society Chief Anthony Wong says the Distribute.IT hack indicates the need for cloud customers to go through their Service Level Agreements (SLAs) with a fine tooth comb, especially where the cloud system is critical to their business operation. In particular, customers should be prepared to negotiate SLAs that ensure adequate protection of their data in the event of a breach, rather than rely on standard SLAs that will often include a force majeure clause relieving the provider of their obligations in the event of a third party hack. At the very least this will require customers to enquire about the strength and nature of data protection from their provider, and may also require customers to undertake additional measures of their own, including keeping additional backups of all the data they upload to the cloud.
Of significant concern in the Distribute.IT hack concerning is their lack of effective backup procedures, which has come under attack from backup experts who note that such an attack,
should not be capable of rendering a company unable to recover its data… with an appropriately designed backup system, this level of data destruction should not have happened.
Clearly the avoidance of such embarrassing and damaging incidents requires efforts by cloud providers and customers to ensure not only that their data is protected, but also that damage from any hack is minimised through effective backup procedures. Wherever possible, customers should seek to impose on their provider strict obligations on data backup. The Cloud Security Alliance in their Security Guidance for Critical Areas of Focus in Cloud Computing outlines a number of governance recommendations for cloud providers and customers to ensure the security of their data. These include:
- dedicating a portion of saved costs in migrating to the cloud to ensuring and monitoring data security and the practices of the provider;
- developing robust security governance incorporating consultation between the customer and the provider;
- ensure wherever possible that SLAs reflect and make enforceable the customers security requirements.
Such measures are common sense ways of protecting against data breaches and minimising the potential damage when they do occur.
Another significant issue in the way data is dealt with in the cloud is the ability to migrate the data to a new provider should significant issues arise with the existing service provided. It is important for customers to ensure that their data remains portable should they choose or be forced to migrate to a different provider. In particular customers should be aware of the use of proprietary data definitions that may make migration difficult, and the consequences for their data if the company goes bust or if they are unable to pay the costs of the service in a particular month.
C Potential liability of cloud providers in negligence
The Distribute.IT hack also raises interesting questions as to the potential liability of cloud providers where insufficient security on their end results in substantial losses to their customers. Of interest to Distribute.IT and affected customers is the pending New York lawsuit against Sony (which surely will not be the last) for negligence, privacy violations and breach of contract, which may prove an interesting test case as to the extent of the application of negligence principles in particular to damaging data breaches.
The law of negligence is a developing area and the categories of negligence are never closed. Negligence law faces considerable challenges in keeping up with the pace and scope of technological change, particularly in the areas of pure economic loss, causation and the nature of harm. For instance, is the relevant relationship between Distribute.IT purely a contractual one? Or should the common law recognise that Distribute.IT also owes a common law duty of care to its customers to protect their customers from pure economic loss adequately protecting and backing up their data? Are the criminal actions of an unknown third party (the hackers) enough to place the consequences of the hack outside the scope of such a duty, or does the duty extend to the mitigation of the worst potential consequences of predictable data breaches? Could the loss of customer data be said to have been caused by the inadequate security and backup measures of Distribute.IT for the purposes of holding them liable or is the damage too remote? The common law moves at a much slower pace than technology and these questions remain wholly or partly unanswered. However, it is likely that the common law will eventually move towards imposing negligence standards on data storage providers, especially if the pace of legislative reform is perceived to be too slow, or legislation and regulation fails to prevent the adoption of lax security standards by cloud providers.
Liability in negligence may not be an appropriate method of dealing with data-security breaches in many cases. Where the breach is at a small or medium sized company such as Distribute.IT the potential losses to customers may be many orders of magnitude larger than what the company is able to bear, and the consequences of a successful claim would be ruinous. Further, a policy that encourages excessive caution or imposes burdensome obligations on cloud providers discourages the entry of new start-up players in the cloud environment and may be stifling of innovation which is vital for the sector. Arguably then an approach based on individual liability in negligence will only be preferable if industry regulation and legislation aimed at an industry wide-approach fails to prevent losses such as those incurred by Distribute.IT customers.