Given the expensive consequences of even relatively short cloud outages, legal action is inevitable in some instances. Companies have to determine whether they actually have a case and if it even makes sense from a business perspective to engage in a legal battle.
The potential for legal recourse goes back to the contract a customer signs with a cloud provider -- and those contracts are relatively impermeable. “The cloud providers have all been very effective in terms of limiting any damages that the end user is going to be entitled to in the contract,” says Elizabeth Ebert, CIO advisory partner at IT consulting practice Infosys Consulting.
“There are always going to be caps on limitation of liability and indemnity,” says Lisa Rovinsky, partner at full-service law firm Culhane Meadows. A data breach can affect large groups of customers, and if they were all to sue the cloud provider, it could not remain in business.
But negligence on the part of the cloud provider could mean breach of contract. “If a cloud provider fails to follow its stated security procedures, there's justification to seek a large or even unlimited liability,” says Rovinsky.
To date, there have been a number of significant moves, including class action lawsuits, against cloud providers for outages related to ransomware. For example, a ransomware attack against Ultimate Kronos Group triggered a class action lawsuit against the workforce management solutions company. Because of the breach, Kronos Private Cloud customers were unable to process payrolls for weeks.
A ransomware attack took down 365 Data Centers’ entire cloud. Customers experienced an outage, and the hybrid data center solutions company had to rebuild its platform. Customers filed a class action lawsuit, alleging the company’s failure to segment and weak security left it vulnerable to the ransomware that led to the outage and loss of customer data.
When it comes to the major cloud providers, referred to as hyperscalers due to their data processing methods and capabilities, legal action will be difficult because of the position these companies have carved out for themselves.
“They [customers] are going to have to show some sort of negligence on the behalf of the providers, and the hyperscalers actually set the standards. So, it’ll be hard to argue that their standards are not best practices because they set the standards,” says Joseph Williams, partner of cybersecurity strategy at Infosys Consulting.
Cloud Provider Relationships
While pursuing damages via lawsuit could be a possible avenue, cloud customers may decide against it because of the importance of their relationship with a cloud provider.
“The reason for not relying on a lawsuit for damages often involves the level of reliance that the customer places on the provider -- suing a key business partner is often not the best way to manage such a relationship,” James Meadows, co-founder of Culhane Meadows, points out.
If a customer has the majority of its data with a cloud provider, suing could mean shouldering not only legal costs but also the hefty cost of switching cloud providers.
Insurers who fail to meet their policy obligations in the event of an outage may also be the target of legal action. When deciding whether to pursue action against a stubborn insurer, “Companies should look at what provisions the insurance companies are citing to deny coverage,” says Cindy Jordano, a partner with insurance recovery law firm Cohen Ziffer Frenchman & McKenna. “Typically, when insurers deny, they have to tell you why they have to cite what policy language they're relying on.”
Class actions against insurers are far less likely, Jordano adds. “These cases tend to be very unique to the facts. There needs to be a specific loss a policyholder has faced.”
The outcome of lawsuits, like the ones against Ultimate Kronos Group and 365 Data Centers, could shape the landscape for future legal action against cloud providers. As cloud adoption continues to increase, the relationship between providers and customers will evolve. Cloud customers are maturing and developing more sophisticated hybrid cloud strategies, which Rovinsky predicts will trigger a shift in the cloud space. “You are going to see more negotiations on everything,” she forecasts.
What to Read Next:
5 Lessons from Facebook, Instagram, WhatsApp Outage
Litigation vs Google May Cause Ripples in Data Collection
5 Cyber Resilience Lessons We Re-Learned in 2021 (But Will Probably Forget)