Cloud providers shrug off liability for security
Businesses signing up for standard cloud services should not expect the provider to accept liability for data breaches and other security incidents, Microsoft and others have said.
At a Cloud Law Summit in London on Wednesday, Microsoft's head of legal, Dervish Tayyip, said the company would not provide financial guarantees against data-protection issues on cloud contracts.
"We're not an insurance company," Tayyip told ZDNet UK. "What is important is that customers understand the [cloud] offerings are standardised — they are what they are. If the offering does not meet customer needs, maybe the cloud is not a realistic offering."
Many businesses are turning to the cloud in the economic downturn to save on costs and for more efficient, scalable IT. However, a lot of potential buyers are nervous about who is to be held responsible in the case of a data breach or security incident, and so try to negotiate favourable terms that would put the risk onto cloud vendors, executives for the vendors said at the event.
Tayyip said that Microsoft and other big providers standardise their cloud services to make them more economic.
"It's to do with customers understanding the nature of cloud offerings," Tayyip said. "Some offerings are highly customised, so the pricing is highly customised. That's not [the cloud] business model, where we're seeking to standardise the service to keep costs down."
Nick Hyner, a legal services counsel for Dell in Europe, said he had found a gap in expectation when negotiating contracts with corporate customers.
"When corporate customers look at buying standard cloud services, there can be a mismatch between the value of the transaction and [their] expectations in terms of the financial and other risks vendors are willing to take," said Hyner. "[For example,] it's not possible or scalable to try to match individual security policies."
As none of the cloud providers accept liability, none of them has a competitive advantage in this area, according to Simon Bradshaw, a cloud-computing law researcher at Queen Mary, University of London.
"People are not deterred by liability issues because they won't get anything better anywhere else," Bradshaw said.
While consumers are protected by consumer laws, and large corporations have the economic clout to negotiate aggressively, small enterprises stand to lose out if their cloud provider has a data-protection problem, Bradshaw noted.
Liability issues are further compounded by cloud complexity, he added.
"Even the people that provide cloud services aren't sure quite how liable they are, as so often there are international relationships," said Bradshaw. "A British company contracts cloud services from an Italian company that buys infrastructure services from a US company — the customer doesn't have a direct business relationship with the person holding the data. When your data can be anywhere in the world, so can your legal headache."