Cloud providers shrug off liability for security

Cloud providers shrug off liability for security

Summary: Businesses on a standard cloud contract should not expect providers to accept responsibility for data breaches, say Microsoft and Dell lawyers

TOPICS: Cloud, Legal

Businesses signing up for standard cloud services should not expect the provider to accept liability for data breaches and other security incidents, Microsoft and others have said.

At a Cloud Law Summit in London on Wednesday, Microsoft's head of legal, Dervish Tayyip, said the company would not provide financial guarantees against data-protection issues on cloud contracts.

"We're not an insurance company," Tayyip told ZDNet UK. "What is important is that customers understand the [cloud] offerings are standardised — they are what they are. If the offering does not meet customer needs, maybe the cloud is not a realistic offering."

Many businesses are turning to the cloud in the economic downturn to save on costs and for more efficient, scalable IT. However, a lot of potential buyers are nervous about who is to be held responsible in the case of a data breach or security incident, and so try to negotiate favourable terms that would put the risk onto cloud vendors, executives for the vendors said at the event.

Tayyip said that Microsoft and other big providers standardise their cloud services to make them more economic.

"It's to do with customers understanding the nature of cloud offerings," Tayyip said. "Some offerings are highly customised, so the pricing is highly customised. That's not [the cloud] business model, where we're seeking to standardise the service to keep costs down."

Nick Hyner, a legal services counsel for Dell in Europe, said he had found a gap in expectation when negotiating contracts with corporate customers.

"When corporate customers look at buying standard cloud services, there can be a mismatch between the value of the transaction and [their] expectations in terms of the financial and other risks vendors are willing to take," said Hyner. "[For example,] it's not possible or scalable to try to match individual security policies."

As none of the cloud providers accept liability, none of them has a competitive advantage in this area, according to Simon Bradshaw, a cloud-computing law researcher at Queen Mary, University of London.

"People are not deterred by liability issues because they won't get anything better anywhere else," Bradshaw said.

While consumers are protected by consumer laws, and large corporations have the economic clout to negotiate aggressively, small enterprises stand to lose out if their cloud provider has a data-protection problem, Bradshaw noted.

Liability issues are further compounded by cloud complexity, he added.

"Even the people that provide cloud services aren't sure quite how liable they are, as so often there are international relationships," said Bradshaw. "A British company contracts cloud services from an Italian company that buys infrastructure services from a US company — the customer doesn't have a direct business relationship with the person holding the data. When your data can be anywhere in the world, so can your legal headache."

Topics: Cloud, Legal

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • "Shrug Off"? Really? Would you accept that with YOUR data?

    Ok, maybe it is just me. Maybe I just have a narrow-minded concept of "responsibility" or "expectations", but this sounds totally wrong to me.

    <i>"We're not an insurance company,"</i>

    No one is asking or expecting them to be an insurance company. They are only being asked to take responsibility for protection of the data they are being entrusted with.

    <i>"If the offering does not meet customer needs, maybe the cloud is not a realistic offering."</i>

    I couldn't have put it better myself. This is exactly what a lot of people have been saying from the very beginning - without the proper safeguards and definitions of responsibility, the "cloud" is a sucker's game.

    <i>"When your data can be anywhere in the world, so can your legal headache."</i>

    This is a perfect closing statement for the story. When you put your data "in the cloud", it can end up anywhere in the world, whether you want it to or not, and no one is going to take responsibility for that happening. No one, that is, other than YOU. Think carefully.

    jw 12/2/2010
  • Left hand, right hand

    Microsoft seems a bit schizophrenic here; Brad Smith, Microsoft General Counsel
    Simon Bisson and Mary Branscombe
  • (cont)

    Brad Smith, Microsoft Vice President and General Counsel <a href="">talking at the Cloud summit last month:</a>

    We need Congress to modernize the laws, adapt them to the cloud, and adopt new measures to protect privacy and promote security. That
    Simon Bisson and Mary Branscombe
  • hmmm.

    Thats what I thought they where doing, so why the change in approach? bloody morons, how hard can it be to sit around a table and agree on some standards.
  • The simple truth is that once data is in a public cloud, the "owner" has lost control of it. No cloud service provider will accept liability for data loss or theft (don't forget many employees can and will steal company data for a quick buck - as HSBC recently testified) - just placing a value on it would be horrendous. The software exists to enable SMBs to create their own in-house cloud (broolz) - why would a company hand over control of its lifeblood?