Contractual obligations

September 27, 2011 — CSO —

Let's imagine your company uses a cloud-based IT service and pays the provider $100,000 per year. Now let's imagine that cloud provider suffers a security breach, and your data is compromised. The total cost to you (notifications, remediation, regulatory fines) is $1 million.

Think your cloud provider is going to cover those costs?

The answer to this very important question lies buried in the details of your contract with the service provider. You remember signing that contract, right? Or at least carefully reviewing it before the CIO signed it?

September 27, 2011 — CSO —

Let's imagine your company uses a cloud-based IT service and pays the provider $100,000 per year. Now let's imagine that cloud provider suffers a security breach, and your data is compromised. The total cost to you (notifications, remediation, regulatory fines) is $1 million.

Think your cloud provider is going to cover those costs?

The answer to this very important question lies buried in the details of your contract with the service provider. You remember signing that contract, right? Or at least carefully reviewing it before the CIO signed it?

[Also see SaaS security and the cloud: It's all about the contract]

Cloud contracts typically specify a "limit of liability"—an absolute maximum the cloud provider is on the hook for in the event of a problem. The limit of liability is often some multiple of the annual revenue in the contract.

Kris Herrin, CTO of Heartland Payment Systems, brought this issue to my attention. Any time Herrin speaks to a group of IT or security professionals, he likes to ask the crowd, "What's your multiple?" The answers are always interesting, he says, because they're so diverse. Some people might say 10 (in which case the provider in the example at the beginning of this column would actually cover the damages). More might say 5 or 2 or 1.

A disturbingly high number of people say, "I don't know."

Herrin says that currently, the risk equation is way out of whack for cloud deployments, meaning most contracts have a low multiple and therefore assign too much of the risk to the cloud consumer.

Herrin also says that for companies that get it, the limit of liability in private-cloud deployments is typically a multiple of the lifetime value of the contract rather than the annual value.

You, as the cloud consumer and ultimate steward of your data, need to know your service providers' limits of liability. And you need to have a sense of what's common in these contracts, and also what's fair and reasonable, and perhaps have some awareness of what might stand up in court.

Legal minutia! It's the best part of the CSO job, right?

I have never wanted to be a lawyer, and perhaps you haven't either. So you might not relish scouring contracts. But whether you look at guard contracts, vendor contracts, or internal service-level agreements, that duty has become a standard obligation for security leaders.

Read more about cloud security in CSOonline's Cloud Security section.

Other stories by Derek Slater