MediaTech Law

By MIRSKY & COMPANY, PLLC

Liability for Data Loss in the Cloud: Why No One Accepts Liability? Why Carve it Out?

Posted by Andrew Mirsky in Blog, cloud, Cloud Computing, Cloud Security, cloud servicers, Cloud Services, Data, Data Breach, Data Loss, Data Security, Hosting Agreements, Service Level Agreements, SLAs, Software as a Service, Technology Contracts, Terms of Service, Terms of Use, TOS, TOU, Uncategorized 1

Why is liability for data loss typically carved out or tightly limited in cloud service and IT outsourcing contracts?  A common disclaimer in contracts for cloud services (and sometimes plain old IT outsourcing) runs like this:

You agree to take full responsibility for files and data transferred, and to maintain all appropriate backup of files and data stored on our servers. We will not be responsible for any data loss from your account.  (From http://techtips.salon.com/liability-loss-data-under-hosting-agreement-2065.html (emphasis added))

What is the Liability from Data Loss?

First, what exactly is the liability – from data loss – that is being disclaimed?  What is the risk?  For that, we turn to Dan Eash writing in Salon’sTech Tips”:

  1. Your site might be corrupted by hackers and spammers because your host didn’t properly secure the servers.
  2. Your host might do weekly backups, but something goes wrong and you lose days of work.
  3. You might have customers in a hosting reseller account who lose data because the host you bought the account from didn’t do regular backups.
  4. You might even have an e-commerce site where new customers make daily purchases.  If something goes wrong, how do you restore lost orders and customer details without a current backup?

I would add a 5th scenario: You just don’t know.  A huge, indeterminable, open-ended exposure to risk.  This may actually be the biggest reason for the standard disclaimer.  As a client of my firm described it to me, a provider of cloud-hosted services to business customers, “I think the biggest factor is simply the huge difference in potential liability.  If our hardware blows up, it’s not even at the client site, so the true liability is minimal.  Whereas data liability is nearly undefined.”

Why Don’t Service Providers Like Liability For Data Loss? 

Dan Eash writes, “Hosting providers know that despite their best efforts, things go wrong. If they didn’t have insurance to cover their losses and legal agreements to reduce liability, many would go bankrupt.  That is why you digitally sign long-winded hosting agreements that … invariably have a section that absolves the host of responsibility if data loss occurs.”

Well, that partly explains it.  This view holds that customers would be foolish to rely entirely on their service providers for all security and protection against data loss.  Why foolish?  Because “everybody knows” that when data is critical to your business, well-established and well-advised practices involve your backing up of your data.  That is, by the customer as well as by the service provider.  But again … why?  Because “things go wrong.”  It happens, and is well-known to happen.

An “undefined”, open-ended risk is difficult to intelligently insure against, while simple risk management alternatives already available to both parties make the calculus even easier.  Put simply, backup the data and do it regularly and frequently.

Putting the Actual Business Risk Aside, What’s Going on Here?

Many hosting service providers also believe that the “service” being provided is storage and bandwidth space for data, not data security.  Disclaimer of liability from data loss is therefore simply a disclosure of the obvious: Do not count on us to protect your data, and remember that data security is not the service we offer.  Or as one commentator puts it, “the client pays for the hard drive space and bandwidth space allocated over a set period of time that is based on no other SLA or agreements from the provider.  Thus if the service is down between that set period then the cost of said service would be refundable ….”

This view is ok to a point, but somewhat myopic.  Taking a position of “that’s not what we do” with cloud hosting services may not be fair (to customers) nor technically accurate.  Without a high degree of knowledge of the industry, customers might be forgiven for believing that data will be safe when given to a cloud service provider.  It certainly is true that technology isn’t perfect and “things go wrong”.  But without a decent sense of reliability, a cheap price just means cheap service.  Which is fine if the value proposition of the cloud is simply price, but the fact is that most consumer purchasers of cloud services are not as aware of the risks as the service providers.  And anyway, the value proposition is never only price.  Cloud technology is attractive because it is also thought of as mature and therefore reliable and safe.

The problem may be more with how contracts make disclosure about risks – often leaving it to lawyers and tiny-font, boilerplate, clickthrough agreements that lower-end services cannot reasonably expect customers to fully read nor understand.  It is understandable that companies shy from highlighting service frailties, but if the frailties of the cloud are due to common characteristics of as-yet immature technology, why the concerted effort to bury the risks?  Providers already promote service features with prominent and breezy point-of-sale disclosures.  Why not turn the limitations into a plus by promoting redundancy, backup services and strength of security?

With higher-end, niche and enterprise services for IT-sophisticated purchasers, burial of disclosure is less of a concern since the rationale for the liability limitation should be well-understood.

In any event, customer complaints about these provisions often arise more from the presentation of the disclosure rather than the fact of the data loss liability limitation itself.  If that is so, a great client education opportunity is being missed to highlight strengths and weaknesses of internet-based technologies and use that discussion to work with clients to assure smart processes and adequate redundancies.

Negligence and Strict Liability

Unless a contract imposes strict liability on a service provider, or unless a contract specifies a particular amount of liquidated damages from a data loss, an aggrieved customer would have to prove negligence as well as damages from a data loss.  Putting aside the difficulty of proving damages, negligence is predicated on breach of a duty of care.  This then, looks first to the terms of the contract and then to the industry to see what sort of duty is required.  A contract might specify a duty to make periodic backups, and might specify the types of backups, frequency and storage.  A contract might require minimum technical specifications, including specifications for security (dedicated IP address and URL, industry-standard firewall) or broader industry standards or industry “best practices”.

A contract might also specify a duty on the customer’s part: “You agree to take full responsibility for files and data transferred, and to maintain all appropriate backup of files and data stored on our servers.” (From Salon’s “Tech Tips”, see above.)  Customers might object to this requirement, or at least complain that this shouldn’t minimize a service provider’s duty of care.  And customers would be right that this doesn’t minimize a service provider’s duty, but it does potentially minimize a customer’s ability to collect damages.  Commercial law generally implies a duty on the part of both parties to mitigate damages, not just the injurer.

Regarding strict liability, where a motivating factor pushing cloud services is cheap access to services that customers could not otherwise afford, exposure from strict liability might be expected to result in higher pricing commensurate with an expensive service.  If potential damage from data loss is catastrophic, insurance will not available, affordable or practical to protect against liability.  And if service providers self-insure to cover potential exposures, presumably the services would become unaffordable.

Negligence, too, is tricky, particularly with new-ish technology where the marketplace is still fleshing out the requisite “duty of care”.   With terms like “best practices” and “industry standard” often insufficiently precise to manage risk, service provider conduct satisfying a duty of care is equally difficult to predict.  At the same time, it is very predictable that losses from data liability can be enormous.  As well-noted in commentary about this subject, a service provider’s negotiating position with a customer can materially influence the provider’s ability to cap or entirely bar data loss liability.  In cases of strong-positioned customers negotiating with smaller specialty service firms, mutually agreeable minimal technical specifications or standard operating procedures (SOPs) for contractually establishing a standard of care can thus be attractive to providers while giving better comfort to customers.

Philosophical Summary

Even if damages from data loss are potentially catastrophic, damages do nonetheless have to be proven in order to be awarded in litigation, again unless a contract specifies a particular amount of liquidated damages from a data loss.  (Not typical.)  And even a liquidated damages clause is a capped amount, often low and based on a portion or (low) multiple of contract fees.  One argument in favor of carving out data loss liability – an argument potentially attractive to providers and customers alike – is the pointlessness in having such an uncertainty built into the contract from the start.  A service provider might argue that the gross imbalance of exposure to potential risks versus fees earned makes liability for data loss unreasonable and therefore contractually unenforceable.

In a slightly different context, Doug Plotkin, head of U.S. sourcing for PA Consulting Group, cautions in CIO.com about this sort of problem.  Plotkin urges wariness of service providers offering unusually generous and non-market contract terms:

A provider can agree to anything, and if the service level penalty for failing to deliver is insignificant, it can be cheaper to fail than in fact to deliver.  This is a danger for all service providers. But it is probably a bit more of an issue because many of the cloud providers are less mature and have not gone through the crucible of having to keep promises as the larger, traditional providers have over many years.

So it turns out that there are reasons why “no liability for data loss” is standard.  Is it really reasonable that I, a cloud service provider, should be exposed to a liability that would likely bankrupt my business in exchange for relatively modest, market-competitive fees?  Perhaps not, and perhaps equally not where the “market” generally protects providers against liability for data loss.

Britnie Morris, a Research and Social Media Intern with Mirsky & Company, researched and contributed to this post.

Share this article: Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Email this to someone
email

Add Comment

Your email address will not be published. Required fields are marked *

Copyright 2022 Mirsky & Company, PLLC