Cloud Concerns: Solution Providers Need Liability Protection
Solution providers should review their contracts regarding their liability involving a breach of a customer's data, otherwise they could be in for trouble, said Zenith Infotech's general counsel during a general session at the PSA platform company's Cloud Summit in Moon, Pa.
"Hire counsel to draft your initial agreement to make sure you get it right the first time. You don't want to go back and change agreements or not comply with the law. Make revisions sparingly," said Bradley Gross, an attorney at Becker-Poliakoff, a Fort Lauderdale, Fla.-based law firm.
Contracts should be especially scrutinized for VARs and MSPs selling cloud solutions to customers, Gross said, because of all the parties that theoretically might own or touch the data. Any good vendor is likely to have an airtight policy regarding its liability and contracts need to very explicitly detail the solution provider's liability as well, he said.
VARs are exempt from liability in many cases as long as they include the correct legal wording in contracts, he said.
"From an MSP perspective, it's always ambiguous on whether you give a special layer of security," Gross said. "For example, HIPAA relates to entities that personally deal with health information. But you're not a doctor or insurance company. With Sarbanes-Oxley, you have no responsibility as an MSP, but the companies giving you data do."
Gross stressed that that's the law right now but a new SAFE Act currently under discussion in Washington could change the game.
"You guys don't have laws governing data security besides the High Tech Act. Keep your eye on the SAFE Act. It might put responsibility on how much security you have to offer customers. At best it will be out in mid-2012, assuming there are no changes to it," Gross said.
VARs are still subject to negligence laws, Gross said, meaning that they could be held responsible if they knew of a problem or knew that it was their duty of care and didn't meet that duty of care.
"Then you're going to have a problem. It's negligence. Not only did you know [of a problem] but you willfully ignored it," he said.
Solution providers are also subject to Federal Trade Commission laws that say they must perform the scope of the contract. "If you don't do what you say you're doing, that's a problem," he said. "They will go after you for unfair trade practices if you promise a customer something and don't do it."
Gross offered two suggestions to VARs selling into the cloud.
First, they shoud check with their upstream providers to understand their security parameters. "You can't offer that which you don't have," he said. "If I offer you a [encrypted cloud] solution and you type in 'Charlie' and then you can see [unencrypted] codes, don't say you have the best encryption in the business."
Second, understand the data storage chain, Gross said. Know where the vulnerabilities are so you know what to promise and not promise.
"Create a security plan for monitoring, detection, escalation, remediation and notice," he said.
Next: Corrupt Data Liability
It's always foolish to offer "100 percent" security, Gross said, because such a beast does not exist.
"You need to put parameters in the countract. They should be whatever Zenith [Infotech] is offering you at the end of the day. You don't make statements that something is foolproof. If you do, you've exceeded the parameters that were given to you and you could have a problem," he said.
Many states allow businesses to have language limiting their liability to what they have been paid for by customers, Gross said. It's best to check with your specific state and make sure it's clear and conspicuous in a contract. "Don't bury it," he said. "Have a paragraph with a limitation of liability. If you have that, limitations are usually enforced."
For example, Gross said the Cern particle accelerator in Europe ran an experiment which found that 33,7000 files, one in 1,500, were corrupt in a sample of 8.7 terabytes of user data checked for accuracy.
"There was no sign [beforehand] that it was corrupted. That's a problem for Cern," he said.
Additionally, a University of Wisconsin study of 1.53 million hard drives over 41 months found 400,000 instances of silent disk corruption when there was no prior indication of a disk problem.
"You guys selling cloud solutions. I assure you that some of the data from some company got corrupted and is sitting in a corrupted manner offsite and you don't know about it," Gross said.
The Wisconsin study also found no clear evidence that workload effects the probability of developing silent data corruption nor that disk size affects the probability of corruption.
"The point is this stuff happens," Gross said. He quoted Amazon's cloud liability statement, which says "though unlikely for any given request, data loss or corruption in transit does occasionally occur" and that IBM's statement says in a worst case, it can lead to silent data corruption.
"What does your agreement say or not say about silent data corruption. If it affects Cern, IBM, Amazon, Zenith, then it affects you," he said.
Another way to limit liability is to mandate that the customer must use verification processes for the integrity of stored data. You can also upsell them a vendor's verification services, Gross said.
"Again, make it clear and conspicuous in your contract. It's worth it to encourage customers to spend a little more money [on verification services]," he said. VARs can only be held liable if data is unencrypted when it is stolen or released.
"If encrypted data is stolen, it doesn't trigger these [data breach] laws," he said.
When it comes to compliance regulations, it's also important to audit the chain of how and where encryption and decryption of data takes place. "Are you a conduit or are you manipulating and modifying the data. If you take ownership of it, you have to make sure you're protected. Are you installing agents that provide unencrypted information back to you," Gross said. "The FTC also looks into privacy issues. If you say it, you have to do it. If you imply it, you're reasonably expected to do it, you better do it."
Gross used an example of one Web site that said it would never give away personal information. But the company went bankrupt and customer information became an asset that the company wanted to sell. The FTC ruled it could not sell it because it said it would never give it away.
"That's how serious government takes privacy these days," he said.