The cloud’s hidden liabilities: 3 questions general counsels should ask themselves

Many companies take the cloud for granted and fail to identify the challenges for corporate legal departments.

The shift from storing data in-house to managing it on the public cloud has transformed business. Many cloud native companies take the cloud for granted, but fail to realize the new infrastructural reality introduces challenges for corporate legal departments - mainly assessing unfamiliar risks and addressing legal precedents.

The growing reliance on the cloud is driven by the many benefits: technology, innovation, scale and operational efficiency. But when you outsource mission-critical services, you’re also ceding control - and in the case of outages - you and your customers may find yourselves in the dark.

If the public cloud provider your company relies on crashes for 8 hours tomorrow - what are the legal implications?

Downtime happens

In 2021, the 3 main providers combined (AWS, Azure and GCP) experienced outages once every 3 weeks. These cloud downtime events impacted millions of businesses and users across the globe.

For businesses, outages can spell lost revenue, lost opportunities, disappointed customers and a tarnished brand. But outages also expose companies to legal issues which all stem from irate customers and disappointed investors who will claim you weren’t well prepared. Here are some questions to assess your legal exposure to outages.

Are you indemnified for losses by your cloud provider in case of an outage?

The plain answer is no. At best - you may qualify for service credits. But it's the cloud providers who decide whether an outage occurred or not, so you’re left with little leverage and negotiating power. But assuming you manage to overcome the wide array of exclusions and contractual loopholes - service credits won’t help you appease disappointed customers . They’ll seek indemnification for their own losses or damages and may start thinking about alternatives to your service.

Are your current policies protecting against business interruptions?

Your company probably has a cyber policy in place. But would your cyber policy indemnify you in the event of a cloud outage? Chances are it won’t. Although cyber policies offer some protection against business interruptions that aren’t the result of cyber attacks, they usually mandate long waiting periods of 10-24 hours. In 2021, the longest cloud outage lasted 11 hours - so there would be little in terms of a payout from a cyber policy.

Assuming you qualify for a payout, you’ll need to spend an inordinate amount of time and resources on an onerous claims process. You’ll need to prove damages to get a small payout months after the event occurred. And worst of all - indirect damages - like your damaged brand - won’t be covered.

Do you have legal liability in case of a cloud outage?

As outsourced cloud computing services continue to grow, a new reality is being tested and tried by businesses and lawyers alike. Consumers are leading the way and legally challenging companies over service outages and unmet SLAs. The answer to this question will become apparent in the coming years, as legal precedents are set. But either way, failure to provide full availability for time-sensitive services may carry a price and may expose companies to legal action for risks associated with 3rd party outages that were not mitigated.

Mitigating legal risk is elementary

Every public company outlines their identified risks in their SEC Form S-1 or 10-K. These forms point to reliance on 3rd party IT services as a business risk. Fiduciary duties mandate analyzing, identifying and mitigating the risks that may lead to lost revenue or a failure to meet targets.

Downtime insurance mitigates risks associated with cloud outages by insuring specific cloud services your business relies on. Coverage is pre-determined based on company needs, and payouts reflect the likely per-hour damages.

Downtime Insurance is a new product. But as reliance on the public cloud grows, it is fast becoming a staple and an integral item in the checklist of policies businesses need to implement to provide all-around coverage against new and unfamiliar perils.

The Parametrix Team
View Profile
May 30, 2022