Tuesday, June 12, 2012

Cloud Contracts – Data Protection

On the LinkedIn contracts group that I moderate (Contracts Questions and Answers) someone asked about liability for customer data in a cloud hosting agreement.

As a customer there are primarily several concerns about their data. One is their own potential damages if the data was disclosed. A second concern is what is their potential liability to third parties would be for information entrusted to the purchaser of the cloud service. E.g. Personal Data, Confidential Information. A third concern is where the data will be held as laws protecting the data are very different around the world.

The difficulty the cloud host has is they don't know, and won't try to identify the nature of the data being hosted. A similar type of problem exists when computer disk drives are returned as defective. There a disk manufacturer disclaims any liability for the data on the disk and requires that the disk come to them erased and the first step in their process is to further erase the disk. Unfortunately a cloud hosting business can't do that.

I think that:
1) The host service needs to make the customer responsible to identify the type of data involved as that could require hosting it on different servers with different levels of security. While you are simply holding it, customers will consider you responsible for managing its security.
2) You need to make it clear where it will be held so customers can determine if they will accept risks associated with having data stored in those locations. The simple fact is not all locations provide the same protection.

When it comes to liability of the cloud host I would argue that there is a precedence that is established for a similar activity that is escrow agent services. There the Custodian is liable only for willful failure to comply with the terms of the agreement, for negligence, misconduct or fraud in performance of its duties. This would require that the agreement describe how the cloud data will be managed and protected. Then as long as you don't willfully fail to comply with those commitments and you are not negligent, and have not committed fraud or misconduct you wouldn't be liable for the data. Where the cloud host could still be potentially liable is if you made specific service level commitments for the hosting activity and failed to meet them.

I read a good article called Five Secrets your cloud provider won't tell you about multi-tenancy. The URL is:

No comments:

Post a Comment