Insurance take on Cloud risks

Here are some points picked out from a talk by Seattle lawyers David Brenner and Bruce Goto this morning:

  • "Notice [of data breach] is the big driver of liability." This based on the two or three years of case law since the advent of the era of huge data breaches.
  • Lesson would seem to be, defeat class action lawyers by being good about notice. Though notice not a cakewalk: 47 state notice statues to comply with in US alone. Damage to reputation expensive to deal with in other ways, too.
  • Microsoft really figuring this stuff out from a risk management perspective, though industry as a whole still developing.
  • Don't assume cloud industry practices on data management meet legal standards on "exspoiliation" (this has to do with litigation and rules on the integrity of evidence).
  • Negotiating good contractual provisions is not as important as doing diligence on the provider. Ironically, the cloud service providers you may have more negotiating leverage with may be the riskiest to trust your data with.
  • You can try, but best vendors aren't likely to change their provisions on IP, warranty, indemnity, caps on liability. Your efforts likely better spent negotiating price. "These [cloud service agreements] are the new end user license agreements, in many ways."
  • Relative to new forms of activity, insurance industry cycles from old forms of insurance, to express exclusions, to restrictive forms, to new revised coverage. Insurance industry is now at point of issuing restrictive forms of coverage. Claims today are being litigated under old forms and terms of first generation exclusions.
  • No standardization yet of cyber insurance, though new policy categories surfacing: tech E&O; media; privacy; and security.

Errors in hearing or interpretation are mine.

King cloud

Photo: Karen Ka Ying Wong / Flickr.


blog comments powered by Disqus