Salesforce, Workday, and SuccessFactors Failing to Bear the Risk of Data Theft from Hackers

A central issue for business and legal executives contemplating moving critical business processes and data to the cloud is the risk associated with potential security breaches and data theft by hackers. Cloud providers will not offer absolute protection for security and data breaches. They will typically provide warranties to comply with all laws related to data privacy and use reasonable efforts to comply with their security procedures. Generally, however, they will not warrant or assume liability for damages related to the unauthorized disclosure of data beyond the subscription fees paid during the prior 12 months.

So why are Cloud providers passing the risk of data breaches from hackers onto their customers, and is it fair?

Well the first part of the question is easier to answer:

• Cloud providers cannot guarantee protection against hacking and the cost of assuming such financial risk is prohibitive.
• Cloud providers maintain that customers are better able to make decisions on guarding against this risk, such as obtaining insurance based on the customer’s individual requirements.
• Cloud providers also hold firm to the claim that their security provisions and protections are far better than those of any individual organization. This is supposedly driven by their need for robust and highly effective security protections in order to maintain their businesses, thus incentivizing them to invest in the best security systems available and to maintain continual improvement programs.

But even the best security systems are susceptible to being hacked. So, is the risk shifting fair?

A brief look at product liability law can shed some light. Before the industrial revolution we lived in a buyer beware climate. Products and goods were simple to inspect prior to purchase and the burden was on the buyer to ensure the product or good was of proper quality. Once the purchase was made the buyer assumed all risk for any failures. As consumer products became more complex and specialized after the industrial revolution and into the 20^th century, it became much more difficult for a buyer to have the knowledge or ability to inspect for quality – think radios, home appliances, and automobiles.

Consumers also did not have the means to purchase insurance, so as products failed and people suffered harm they were left to pay for the associated damages out of pocket. This risk allocation eroded incentives for businesses to make their products safer or of higher quality. So as the situation worsened over the years, it became clear that the manufacturers were in the best position to guard against the risk of defects, and the laws evolved to shift the responsibility to manufacturers. This policy is based on two key issues – control and insurance.

Manufacturers control the raw materials, workers, and the manufacturing process and can therefore better guard against defects. Additionally, manufacturers are in a much better financial position to purchase insurance for product defect risks and pass the associated costs back to consumers through increased prices. Essentially, consumers will be paying for the insurance and will be covered for any harm suffered by defects, thus ensuring adequate financial coverage for these unpredictable risks. This has been the primary product liability policy and theory for the better part of the last half century.

So as between cloud providers and their customers,  is it fair that cloud providers, who have virtually complete control of all elements in providing their service including their security policies, pass the risk of harm suffered from hacking back to their customers? On the one hand, the products liability policies identified above would suggest no; that cloud providers should be purchasing insurance to guard against this risk and maintain the incentive to continually improve security policies, procedures, and tools. On the other hand, the costs of providing cloud services and the security measures required by insurance companies in order to qualify for and maintain insurance coverage could rise to the point that cloud providers are no longer willing and able to provide services at market competitive prices. Plus, the cloud customers we are speaking about are businesses as opposed to end-user consumers, and have the necessary financial means to purchase their own insurance coverage. Therefore, depending on your perspective, one can reasonably contend that the risk shifting is either fair or unfair.

Irrespective of the perceived fairness in shifting risk, the decision to adopt a cloud strategy in light of potential data hacking should factor in these 3 key considerations:

1. Comfort level with relinquishing control. This includes control over the systems running your business and containing your business data, as well as the security policies, procedures, and tools used to protect such information. If the security systems are compromised and require the cloud provider to order an emergency shut-down, do you have appropriate back-up plans in place to avoid a lengthy and costly business disruption?

2. Adequate Insurance Coverage. You need to ensure you have acquired the appropriate level of insurance protection deemed necessary based on the nature and volume of the business data you will be deploying in the cloud.

3. Data Breach Policies. This includes reviewing and planning how to handle foreseeable ‘what if’ scenarios, such as a breach of:

• personally identifiable information (PII);
• business financial records not publically released; and
• confidential information of business third parties that may be stored in a cloud solution

Risk considerations should not be limited to potential lawsuits from third party claims, but also include impact to business goodwill, potential extortion demands, and politically motivated attacks – as we recently saw with the Sony Pictures hack.

In summary, customers should have a cross functional team taking a holistic approach in considering the risk associated with adopting a cloud strategy, and ensuring they have appropriate insurance coverage and risk mitigation plans in place in the unfortunate event these risks come to fruition. Keep in mind that the cloud providers will be primarily concerned with mitigating their own damages if their security systems are compromised, and they will not have the bandwidth or resources to address any customer specific scenarios that may be highly sensitive. Remember, the cloud providers have already contractually disclaimed damages resulting from hackers, provided they have followed their own security policies, no matter how lacking or ineffective they may prove to be in preventing the hack. So when it comes to the risks from hacking, it is buyer beware!

We would love to receive your feedback and thoughts, so please do not hesitate to post a comment. You may also contact me directly at jlazarto@upperedge.com if you would prefer a more discrete discussion regarding your specific circumstances.

Follow me on Twitter @jeffrey_lazarto, find my other UpperEdge blogs, and follow UpperEdge on Twitter and LinkedIn