COVID and Cloud Computing- The decline in cloud computing privacy and security protections has gradually picked up pace over the last two years. With the advent of the novel coronavirus, COVID-19, the early months of this year have accelerated that pace. Businesses are now learning hard lessons about the reliability and responsibility of their cloud providers when it comes to privacy and security protections.
Don’t get me wrong. Almost every cloud provider can produce truly impressive marketing materials and, even, contractual commitments with regard to privacy and security. But when the rubber meets the road, very few providers are actually willing to assume any real liability if they fail to comply with those commitments. During audits, regulators in financial services and healthcare have made clear security/privacy protections without material liability results in illusory protection and is not consistent with exercising reasonable care in the protection of sensitive data.
A recent example will highlight the problem. A well-known cloud provider, through its own gross negligence, wiped out the data, both production and backup, for a number of their customers. The entire database for each customer was rendered unrecoverable. The customers were left having to engage in the laborious, time-consuming, and extremely expensive task of having to reconstruct those records by hand. In wiping out the data, the cloud provider breached its customer contract in several ways, but, as the provider was quick to point out, its liability for resulting damages was strictly limited in its standard agreement, leaving the customer with no real remedy.
The foregoing example points up one of the most substantial problems and trends we are seeing in cloud engagements: vendors who appear to offer outstanding security and privacy protections, but then limit their liability for violation of those protections, even if by gross negligence, to a trivial amount. In fact, two very well-known cloud providers attempt to limit their liability for every breach of contract, including data breach, to zero damages in their form agreements. They accept no responsibility whatsoever for their failures.