FeaturesSecurity Compliance

Devil hunting in cloud service contracts

By Carol Ko 19-Jun-2012

Gigi Cheah, Partner and Jeremy Tan, Associate, Asia IP & Technology Group, Norto
Gigi Cheah, Partner and Jeremy Tan, Associate, Asia IP & Technology Group, Norto

Do cloud service providers owe a duty of data protection to its customers?

Service levels do not create a duty of to protect data per se.

 

-- Gigi Cheah and Jeremy Tan, Norton Rose

Norton Rose: In general, a cloud service provider does not owe the customer a duty to protect the data of its customers unless such a duty is imposed through the cloud service contract -- that is, the cloud service provider agrees to protect and keep secure the data of its customer. Service levels do not create a duty of to protect data per se.

As a customer, it is strongly advisable to negotiate in to a cloud service contract, a general obligation of confidentiality on the part of the cloud service provider and undertakings from the cloud service provider that it will comply with all applicable data privacy laws.

What risks do cloud service providers face for sharing their customer data with third parties? How will they limit their liability in a cloud service contract?

Norton Rose: A cloud service provider can face regulatory censure and be in breach of its data security obligations and contractual obligations to its customers if the cloud service provider shares its customers' data with third parties, without the consent or authorization of the customers. This risk is accentuated when the data in question relates to sensitive personal data, such as financial or medical information.

In order to mitigate this risk, the cloud service provider can introduce provisions in the cloud service contract that limit its liability from any disclosure of the customer's data. Whilst not related to the cloud service contract, the cloud service provider can seek back to back arrangements with its service providers (e.g. a data center) to allow the cloud service provider to recover any compensation it may have to pay out to a customer for disclosure of the customer's data. 

In the event of data breach of customer's corporate information by a cloud service provider, where should the customer approach for damages, and funds to cover third party liability? 

Norton Rose: If a default by a cloud service provider results in the loss or misuse of a customer's corporate information, the customer may recover damages (including losses from third party claims) from its cloud service provider (to the extent it is not limited from doing so by the cloud service contract). However, as noted above, cloud service contracts are usually supplier-centric and will usually exclude or limit the customer's ability to claim damages.

In this event, or if it is difficult to prove that the loss was caused by the cloud service provider, it is prudent commercial practice for corporations to have in place, insurance that would cover such losses. The ability of a customer to recover against such "cyber insurance policies" would depend on the scope of the policy and the fact circumstances surrounding the loss.

What other important reminders do you have for organizations that enter into cloud service contracts?

Norton Rose: It is important to ensure that the cloud service contract contain key requirements that may have been imposed by a relevant regulator such as provisions committing the cloud service provider to adhere to service levels, provisions relating to data security and confidentiality of corporate information as well as provisions to ensure that the cloud service provider complies with data privacy laws.


Tags:
contract, data breach, data ownership, data privacy, data security, legal issues, Norton Rose, privacy laws, SLA




RELATED ARTICLES
Building exits in your cloud strategy
Potential data jurisdiction problems for cloud service users


0 reader's comment