> From: John Thompson
> The company I work for is looking at a product that 
> stores a bunch of "our" sales data in the "cloud"
> Our internal legal person had a look at the contract 
> that the company is proposing and apparently it has a 
> little clause in their that they are not liable if the 
> data gets stolen. Is this standard with cloud products?

There is a separation of responsibilities that needs to be
understood by everyone these days.  We expect the data centers
for cloud companies to be secure.  Once we give them data we
expect them to hold onto it.  And if we are paying them to do
something with the data, we expect them to do that with full
reliability.  That's Their responsibility.

But we also pay these cloud services for increasing types of
accessibility to our data.  With more accessibility, there are
more opportunities for data exposure.  We cannot expect them to
accept responsibility for vulnerabilies which we ourselves may
create, which includes:
- transport outside of a VPN
- transport of plain text data
- open transport of credentials (user/psw)
- exposure of credentials whether on lost devices, stickynotes on
the monitor, or a list in one's wallet

And in this world of networked data we must understand that
security is always a moving target.  The environment that is
secure today could be compromised tomorrow after a patch is
applied or simply through the constantly improving skills of bad
guys.  It's very difficult for a company to accept responsibility
for constantly changing details outside of their control.

Sure, we expect that a cloud company will protect data on-site
against theft or acts of nature, but in a networked environment
there are points of exposure.  They can strive to protect their
systems and networks against hacks but this is a huge ongoing
expense and it's an imperfect science where occasionally even the
top professionals are caught unaware.  They can strive to create
a contract that explains how they will accept responsibility for
their side of the environment while not being liable for damages
due to issues outside of those definitions.  But that leaves
contracts vague and open to contention.  It's better for them
simply to say they're not liable for losses.  Accept it or don't.

There is also the question of what liability really is.  Is a
compromise of your data worth $100 or $1 Million?  To avoid such
evaluation in a claim, it's better to just get the issue waived
up front.  You can accept this or reject the premise and try to
get someone else with an insurance company that will settle
high-value claims.

In a non-litigious world, the simplest and most honest contract
might read "We really do the best job we can, and we think we do
better than our competition, but if anything at all bad happens,
we simply can't accept blame or pay any damages. Welcome to the
modern world. If you accept this, we'd love to do business with
you. If not, we're sorry, but we can't take a chance on going out
of business for something that's not related to what we really

For your part, when you do host data off-site, use every
encryption and security mechanism available to protect your
business outside of the scope of the services provided by the
cloud host.  This becomes your responsibility.  Then you need to
figure out how you're going to convey Your position on
liabilities to Your clients.  "We really do the best job we

So the bottom line here is that you get the best contract you
can, and try to get clarifications or commitments in writing. But
you also need to balance expectations with an understanding of
the world we're living in, and cover for vulnerabilities with
your own solutions where possible.


U2-Users mailing list

Reply via email to