1. INTERNET LAW
JO U R N A L O F
VOLUME 15
NUMBER 12
JUNE 2012
EDITED BY DLA PIPER
PROTECTION IN THE CLOUD: RISK
MANAGEMENT AND INSURANCE FOR
CLOUD COMPUTING
By Joshua Gold
major technological trend these days is cloud goes “off the rails,” however, the consequences can
A computing. Many businesses find themselves
faced with the key decision of whether to embrace
this technology and migrate their data (and some-
times the data of their customers) to a professional
“cloud” firm to host and manage this data. While
be devastating.
Take, for example, a massive cloud-computing
breach that occurred in 2011. The cloud security
breach affected one of the largest entertainment
and electronics companies in the world, its custom-
many companies are intrigued with the savings prom- ers, and one of the largest cloud-services firms—
ised by sending their information to the cloud, money all at once.1 Specifically, the entertainment firm
alone should not be allowed to dictate this decision. had entrusted data to a cloud-computing company
Just like any other online endeavor, cloud computing that was in turn infiltrated by computer hackers.
is not without risks—many of which are significant. According to reports of the incident, approximately
CLOUD PERILS Continued on page 24
When cloud computing goes as planned, it can PROTECTION IN THE CLOUD: RISK MANAGEMENT
be an efficient way to outsource a significant part of AND INSURANCE FOR CLOUD COMPUTING . . . . . 1
a business’ management of electronically captured By Joshua Gold
information. It may also yield savings, as do other CYBER-TERRITORY AND JURISDICTION
out-sourcing strategies. When cloud computing OF NATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
By Georgios I. Zekos
ON DOMAIN NAMES AND TRADEMARKS . . . . . . . . .29
By Ana Rac ki Marinkovic
ˇ ´
Joshua Gold is a shareholder at Anderson Kill & Olick, P.C.
in New York, NY. Mr. Gold regularly represents policyholders,
including gaming and hospitality businesses, software companies,
and retailers, in insurance coverage matters and disputes
concerning contracts, liability, arbitration, time element insurance,
electronic data, and related property-casualty insurance coverage
issues. He can be reached at jgold@andersonkill.com.
2. J O U R N A L O F I N T E R N E T L AW June 2012
Protection in the Cloud other negative consequences, which may include,
Continued from page 1 but are not limited to:
100 million customer account files (including credit • Remediation costs that may include liability
and debit card information) were compromised when for stolen assets or information and for repair-
the hackers infiltrated the cloud site and improperly ing system damage that may have been caused.
accessed the sensitive account information. What Remediation costs may also include incentives
was unique in this situation is that the hackers offered to customers or other business partners in
actually had a legitimate account set up with the an effort to maintain the business relationships
cloud-computing site (albeit with phony identifying after a cyber-attack.
information and fraudulent intentions), as opposed to • Increased cyber-security protection costs that
hackers who anonymously hack into other networks may be incurred from organizational changes,
or systems. deploying additional personnel and protection
Another cloud-security breach involved a com- technologies, training employees, and engaging
pany that provides e-mail services2 to other busi- third-party experts and consultants.
nesses and handles more than 40 billion e-mails • Lost revenues resulting from unauthorized use of
annually for more than “2,000 global brands.”3 In a proprietary information or the failure to retain or
2011 statement issued after the breach, the hacked attract customers following a cyber-attack.
company indicated that “clients’ customer data • Litigation.
were exposed by an unauthorized entry into [the • Reputational damage adversely affecting cus-
company’s] email system. The information that was tomer or investor confidence.6
obtained was limited to email addresses and/or cus-
tomer names only.”4 Today, for just about any company, a cloud-
Among the company’s customers are three of the computing breach means facing financial fraud loss,
top ten US banks, as well as other financial institu- privacy invasion claims, business interruption, loss
tions. After the breach, numerous customers of the of good will, and litigation, including class action
e-mail services company sent warnings to their own litigation.
customers alerting them to the existence of the stolen
information. C AT E G O R I E S O F DATA
ON THE CLOUD
L O S S E S , L I T I G AT I O N , A N D L AC K
OF CONFIDENCE For any company considering cloud computing,
one of the early questions is what information will be
Should data in the cloud be hacked, a busi- entrusted to the cloud: Does one allow company trade
ness can be certain of the prospects of becoming secrets, employee benefits/medical information, and/
embroiled in class action litigation and insurance or financial information into the cloud?
coverage litigation,5 business interruption, a hit to If sensitive information is being considered to be
the firm’s good will, remediation costs, customer put into the cloud, then a central question becomes
notification costs, government inquiries (both for- the level of due diligence that a firm will perform
mal and informal), investigations, litigation brought to ensure that the cloud is both suitable and safe
by state attorneys general, and other costs, expenses, to house and manage the data. The level of due
and claims. diligence can take many forms, including question-
In fairly recent disclosure guidance from naires, attestations, third-party assessment, and on-
the US Securities and Exchange Commission site audits. The more sensitive the data in question
(SEC), one of its departments identified cer- are, the more comprehensive the due diligence effort
tain consequences of cyber-breaches that have must be. As part of this process, firms should also
relevance in the context of a cloud-computing consider obtaining from cloud-service companies
breach. Registrants who fall victim to successful representations, warranties, insurance, and indem-
cyber-attacks may incur substantial costs and suffer nity protection.
24
3. June 2012 J O U R N A L O F I N T E R N E T L AW
DATA - S E C U R I T Y S T R AT E G Y their information technology (IT) departments and
in-house attorneys to protect data that are created
For those considering cloud computing, the data- by the business or entrusted to it by outside entities
security risks described above should lead to a check- and individuals. One of the starting points in this
list. Specifically, due diligence should be performed endeavor is developing a data-security protocol that
to find out how the cloud-computing company erects establishes clear directives regarding the handling
safety walls between the data stored and processed for of and access to information within the organization
one client versus those supplied by another customer. and to information that might be transmitted outside
A checklist of due diligence items will vary from the organization as part of cloud computing. Virtually
company to company, but it could include some of the any company will have its own business and employee
following efforts: information electronically captured. So too will it
have the e-data of its customers, including, often,
• Meetings with cloud provider to discuss security account information.
strategies. An important step in the risk management
• Specific discussions with cloud firms regarding process is to inventory the information possessed
their employment of state-of-the-art security and determine its sensitivity. Certain categories of
software and techniques. information demand heightened protection, includ-
• Establishing clear understandings and obligations ing health information, personally identifying infor-
for notices of a security breach. mation of customers and employees, certain types
• Reviewing the data-security track records of of nonpublic financial information, trade secrets,
those firms under consideration to provide data customer lists, and business processes that yield
hosting/management services. competitive advantages. Decisions should be made as
• Conducting security audits. to whether this information is to be part of the busi-
• Negotiating the right to conduct security audits. nesses’ cloud computing plan or not. If it is, then, as
• Seeking the names of references and then inter- noted earlier, due diligence should follow regarding
viewing those references as to their experiences the cloud-computing vendor’s security, insurance, and
with the cloud firm. indemnification obligations.
Once such information is identified for height-
Issues regarding indemnification and insurance ened protection, it usually is not enough to simply
should also be discussed to be prepared in the event guard against external threats of unauthorized access.
that a data breach were to occur. Businesses should It is also important to make intelligent decisions
require immediate notification of a data breach about internal access to protected classes of informa-
should the cloud firm detect one. Businesses should tion—whether being accessed from on-site servers or
also explore whether they would have to disclose to from a cloud firm. Businesses should find out what
their own customers, employees, and potentially oth- levels of employees within a cloud-computing firm
ers, that certain data that they might have an interest have access to information. Not surprisingly, some
in have been supplied, shared, or transmitted to a cloud-computing firms have several other divisions
third party for storage or processing. Additionally, and business enterprises. It is important to know
businesses may wish to consider whether there are who has access to what categories of information to
certain categories of information that are simply too get a handle on both external and internal hacking
sensitive to provide to an external source and, there- threats.
fore, must remain off the cloud. For example, it can be risky (and unnecessary) to
grant company-wide access to sensitive business infor-
R I S K M A N AG E M E N T : mation. Instead, under most circumstances, limiting
S A F E G UA R D I N G DATA the access internally to such information based upon
necessity and security clearance reduces the risk of
Businesses can help make informed decisions unauthorized or improper disclosure of sensitive infor-
regarding the extent to which they use cloud comput- mation. With cloud computing, this analysis must be
ing by having risk managers working in tandem with performed on two different levels.
25
4. J O U R N A L O F I N T E R N E T L AW June 2012
I N S U R A N C E C OV E R AG E reduce cybersecurity risks in the context of the
C O N S I D E R AT I O N S industry in which they operate and risks to that
security, including threatened attacks of which
Insurance coverage is available for losses arising they are aware.
from computer fraud or theft under both existing and
new stand-alone insurance products. Some of this Consistent with the Regulation S-K Item
coverage is quite valuable, but it should never be 503(c) requirements for risk factor disclosures
thought of as being “customer-friendly.” generally, cybersecurity risk disclosure provided
Policy terms should be closely scrutinized to see must adequately describe the nature of the
if the use of cloud computing would alter or reduce material risks and specify how each risk affects
coverage. For example, a common feature of recent the registrant. Registrants should not present
network security policies involves clauses that pur- risks that could apply to any issuer or any offer-
port to condition coverage on the absence of errors or ing and should avoid generic risk factor disclo-
omissions in the data-security measures employed by sure.5 Depending on the registrant’s particular
the policyholder. Such insurance policy clauses have facts and circumstances, and to the extent
the potential to be exploited when insurance compa- material, appropriate disclosures may include:
nies argue that a policyholder was somehow derelict
in safeguarding computer data from hackers, among • Discussion of aspects of the registrant’s
others. Furthermore, some policies may attempt to business or operations that give rise to
limit insurance coverage when a data breach occurs material cybersecurity risks and the poten-
when a computer is not actively connected to a net- tial costs and consequences;
work. Accordingly, policyholders should steer toward • To the extent the registrant outsources
selecting insurance policy forms that are devoid of as functions that have material cybersecurity
many coverage exclusions (a.k.a. the fine print) as risks, description of those functions and
possible. how the registrant addresses those risks;
• Description of cyber incidents experienced
S E C D I S C L O S U R E G U I DA N C E by the registrant that are individually, or
in the aggregate, material, including a
As indicated earlier, the SEC has provided guid- description of the costs and other conse-
ance to registrants as to what disclosure obligations quences;
they may face as a result of their cyber-exposure. In • Risks related to cyber incidents that
relevant part: may remain undetected for an extended
period; and
In determining whether risk factor disclosure is • Description of relevant insurance coverage.
required, we expect registrants to evaluate their
cybersecurity risks and take into account all A registrant may need to disclose known or
available relevant information, including prior threatened cyber incidents to place the dis-
cyber incidents and the severity and frequency cussion of cybersecurity risks in context. For
of those incidents. As part of this evaluation, example, if a registrant experienced a material
registrants should consider the probability of cyber attack in which malware was embedded
cyber incidents occurring and the quantita- in its systems and customer data was compro-
tive and qualitative magnitude of those risks, mised, it likely would not be sufficient for the
including the potential costs and other con- registrant to disclose that there is a risk that
sequences resulting from misappropriation of such an attack may occur. Instead, as part of a
assets or sensitive information, corruption of broader discussion of malware or other similar
data or operational disruption. In evaluat- attacks that pose a particular risk, the registrant
ing whether risk factor disclosure should be may need to discuss the occurrence of the spe-
provided, registrants should also consider the cific attack and its known and potential costs
adequacy of preventative actions taken to and other consequences.7
26
5. June 2012 J O U R N A L O F I N T E R N E T L AW
One large software and cloud-computing com- other practices we follow may not prevent the
pany has disclosed certain cloud-computing perils in improper disclosure of personally identifiable
its securities disclosures, as follows: information. Improper disclosure of this infor-
mation could harm our reputation, lead to legal
Security vulnerabilities in our products and exposure to customers, or subject us to liability
services could lead to reduced revenues or to under laws that protect personal data, result-
liability claims. Maintaining the security of ing in increased costs or loss of revenue. Our
computers and computer networks is a critical software products and services also enable our
issue for us and our customers. Hackers develop customers to store and process personal data.
and deploy viruses, worms, and other malicious Perceptions that our products or services do
software programs that attack our products and not adequately protect the privacy of personal
gain access to our networks and data centers. information could inhibit sales of our products
Although this is an industry-wide problem or services.9
that affects computers across all platforms,
it affects our products in particular because D I R E C TO R S A N D O F F I C E R S
hackers tend to focus their efforts on the most INSURANCE CONCERNS
popular operating systems and programs and we
expect them to continue to do so. We devote The SEC’s guidance relates to what disclosures
significant resources to address security vulner- should be made by companies subject to the 1933
abilities through: Securities Act and the 1934 Securities Exchange Act.
Corporations must now consider what disclosures
• engineering more secure products and ser- specific to cyber-security, and to cloud computing,
vices; are appropriate in their securities filings. The new dis-
• enhancing security and reliability features closure requirements place added focus on directors
in our products and services; and officers (D&O) insurance coverage—both at the
• helping our customers make the best use of point of purchase and at the point of claim payment
our products and services to protect against should a cyber-loss ensue.
computer viruses and other attacks; The SEC identifies several aspects of cyber-perils
• improving the deployment of software to be disclosed when applicable. These include an
updates to address security vulnerabilities; analysis of potential exposure to a data breach or
• investing in mitigation technologies that attack, a discussion of material cyber-incidents, a
help to secure customers from attacks description of related legal proceedings, and the
even when such software updates are not implications for the firm’s finances.
deployed; and The issue of cyber-perils has thus been elevated
• providing customers online automated from risk management, legal, and IT departments
security tools, published security guidance, to the corporate suite. This will entail far greater
and security software such as firewalls and scrutiny from investors as to what is disclosed and
anti-virus software.8 the quality of the disclosure—all judged with 20/20
hindsight. D&O underwriters will accordingly find
The cloud firm goes on to indicate that: new interest in their customers’ cyber-security issues
and preventive measures, and they will likely add
Improper disclosure of personal data could new or more-tailored questions concerning both past
result in liability and harm our reputation. We cyber-incidents and present plans for curtailing or
store and process large amounts of personally preventing data breaches.
identifiable information as we sell software, As with any insurance application, it is impera-
provide support and offer cloud-based ser- tive to answer these new applications carefully.
vices to customers. It is possible that our secu- Policyholders should also be aware that some insur-
rity controls over personal data, our training of ance applications are purposefully designed to ask
employees and vendors on data security, and overly broad questions that are nothing more than
27
6. J O U R N A L O F I N T E R N E T L AW June 2012
a snare and a potential coverage fight. Policyholders indemnity and “hold harmless” protection that the
should therefore prepare for negotiation over the cloud company will provide should the entrusted data
terms of insurance applications. be hacked. Businesses should also insist on represen-
Ensuring that D&O coverage will be avail- tations and warranties regarding the level of security
able should a cyber-related lawsuit arise that targets employed by the cloud firm to protect the entrusted
management is critical to defraying the significant data against hacks from outsiders, other cloud cus-
defense and indemnity costs often involved in law- tomers, and even improper internal access of data
suits against directors and officers. Thus, added care from within other segments of the cloud-computing
must go into reviewing all D&O insurance policy firm.
terms and endorsements (including those contained
in the primary, excess layer, and Side A policy forms). CONCLUSION
It is likely that some insurance companies will try to
insert exclusions into D&O policies akin to those Advanced planning and analysis will not only
inserted into many specialty Internet policies. Many ease the burden of navigating the SEC’s new pro-
of these terms are vague and may lead to sharp dis- nouncements on data security threats, but it will also
agreements over their effect on the scope of insurance prepare a business, should a hacking incident occur,
coverage for a cyber-related claim. to cope with state notice laws, shareholder litigation,
Beyond D&O insurance issues, companies should and inquiries and potential lawsuits from govern-
also have an overall cyber-risk management plan that ment authorities, including the SEC, Federal Trade
draws from various departments, including financial, Commission (FTC) and state attorneys general.
risk management, legal, and IT departments, and at
least some senior managers. N OT E S
One key step for a business is to build a com- 1. See Joseph Galante, Olga Kharif & Pavel Alpeyev, “Sony Network
puter infrastructure with up-to-date security to guard Breach Shows Amazon Cloud’s Appeal for Hackers,” Bloomberg,
May 16, 2011, available at www.bloomberg.com/news/2011-05-15
against hackers, malware, and viruses. Plaintiffs, /sony-attack-shows-amazon-s-cloud-service-lures-hackers-at-pennies-an
regulators, and insurance companies often seize upon -hour.html.
accusations that a business has used obsolete or inef- 2. See Erik Sherman, “The Epsilon Email Break-In: A Bad Break for
The Cloud,” CBS News Apr. 5, 2011, available at www.cbsnews.
fectual security measures to guard against unauthor- com/8301-505124_162-43449742/the-epsilon-email-break-in-a-bad
ized data-access events. -break-for-the-cloud/.
A second step is that a business should disclose 3. See Paul Ducklin, “Epsilon Email Address Megaleak Hands
Customers’ Customers to Spammers,” Naked Security Apr. 4,
the extent of its cloud-computing use to its custom-
2011, nakedsecurity.sophos.com/2011/04/04/epsilon-email-address-
ers, partners, suppliers, and other parties who may megaleak-hands-customers-customers-to-spammers/; What Effect
transmit or share data to conduct business. While Will the Epsilon Data Theft Have on Cloud Computing?,
CloudTweaks, Apr. 13, 2011, cloudtweaks.com/2011/04/what-effect
such a disclosure may not be mandatory, it can go -will-the-epsilon-data-theft-have-on-cloud-computing/.
a long way toward nullifying certain accusations 4. See Jorgen Wouters, “Massive Hack of Top E-Marketer May Leave
by third parties. Also, a business should undertake Millions Open to Phishing Attacks,”Daily Finance, Apr. 4, 2011.
5. See generally, Zurich Am. Ins. Co. v. Sony Corp. of Am., No.
(and document) due diligence measures regard-
651982/2011 (S. Ct., N.Y.County.).
ing the security employed by the company that is 6. Division of Corporation Finance, Securities and Exchange
providing the data hosting or management. It is Commission, CF Disclosure Guidance: Topic No. 2: Cybersecurity,
Oct. 13, 2011.
important for a business to demonstrate and make a
7. Division of Corporation Finance, Securities and Exchange
record that it has been judicious in its entrustment Commission, CF Disclosure Guidance: Topic No. 2: Cybersecurity,
of data to any offsite businesses, such as a cloud- Oct. 13, 2011.
computing firm. 8. Microsoft Investor Relations, “Risks and Uncertainties,” Item 1A.
Risk Factors, http://www.microsoft.com/investor/EarningsAnd
A third step, when cloud-computing firms are Financials/Earnings/RisksAndUncertainities/FY11/Q2/RisksAnd
utilized, is for a business to make sure that the con- Uncertainties.aspx.
tractual agreements expressly set forth the level of 9. Id.
28
7. Copyright of Journal of Internet Law is the property of Aspen Publishers Inc. and its content may not be copied
or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission.
However, users may print, download, or email articles for individual use.