INTERNET LAWJO U R N A L O F VOLUME 15 NUMBER 12 JUNE 2012 EDITED BY DLA PIPER PROTECTION IN THE CLOUD: RISK MANAGEMENT AND INSURANCE FOR CLOUD COMPUTINGBy Joshua Gold major technological trend these days is cloud goes “off the rails,” however, the consequences can A computing. Many businesses find themselves faced with the key decision of whether to embrace this technology and migrate their data (and some- times the data of their customers) to a professional “cloud” firm to host and manage this data. While be devastating. Take, for example, a massive cloud-computing breach that occurred in 2011. The cloud security breach affected one of the largest entertainment and electronics companies in the world, its custom- many companies are intrigued with the savings prom- ers, and one of the largest cloud-services firms— ised by sending their information to the cloud, money all at once.1 Specifically, the entertainment firm alone should not be allowed to dictate this decision. had entrusted data to a cloud-computing company Just like any other online endeavor, cloud computing that was in turn infiltrated by computer hackers. is not without risks—many of which are significant. According to reports of the incident, approximately CLOUD PERILS Continued on page 24 When cloud computing goes as planned, it can PROTECTION IN THE CLOUD: RISK MANAGEMENT be an efficient way to outsource a significant part of AND INSURANCE FOR CLOUD COMPUTING . . . . . 1 a business’ management of electronically captured By Joshua Gold information. It may also yield savings, as do other CYBER-TERRITORY AND JURISDICTION out-sourcing strategies. When cloud computing OF NATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 By Georgios I. Zekos ON DOMAIN NAMES AND TRADEMARKS . . . . . . . . .29 By Ana Rac ki Marinkovic ˇ ´ Joshua Gold is a shareholder at Anderson Kill & Olick, P.C. in New York, NY. Mr. Gold regularly represents policyholders, including gaming and hospitality businesses, software companies, and retailers, in insurance coverage matters and disputes concerning contracts, liability, arbitration, time element insurance, electronic data, and related property-casualty insurance coverage issues. He can be reached at firstname.lastname@example.org.
J O U R N A L O F I N T E R N E T L AW June 2012 Protection in the Cloud other negative consequences, which may include, Continued from page 1 but are not limited to: 100 million customer account files (including credit • Remediation costs that may include liability and debit card information) were compromised when for stolen assets or information and for repair- the hackers infiltrated the cloud site and improperly ing system damage that may have been caused. accessed the sensitive account information. What Remediation costs may also include incentives was unique in this situation is that the hackers offered to customers or other business partners in actually had a legitimate account set up with the an effort to maintain the business relationships cloud-computing site (albeit with phony identifying after a cyber-attack. information and fraudulent intentions), as opposed to • Increased cyber-security protection costs that hackers who anonymously hack into other networks may be incurred from organizational changes, or systems. deploying additional personnel and protection Another cloud-security breach involved a com- technologies, training employees, and engaging pany that provides e-mail services2 to other busi- third-party experts and consultants. nesses and handles more than 40 billion e-mails • Lost revenues resulting from unauthorized use of annually for more than “2,000 global brands.”3 In a proprietary information or the failure to retain or 2011 statement issued after the breach, the hacked attract customers following a cyber-attack. company indicated that “clients’ customer data • Litigation. were exposed by an unauthorized entry into [the • Reputational damage adversely affecting cus- company’s] email system. The information that was tomer or investor confidence.6 obtained was limited to email addresses and/or cus- tomer names only.”4 Today, for just about any company, a cloud- Among the company’s customers are three of the computing breach means facing financial fraud loss, top ten US banks, as well as other financial institu- privacy invasion claims, business interruption, loss tions. After the breach, numerous customers of the of good will, and litigation, including class action e-mail services company sent warnings to their own litigation. customers alerting them to the existence of the stolen information. C AT E G O R I E S O F DATA ON THE CLOUD L O S S E S , L I T I G AT I O N , A N D L AC K OF CONFIDENCE For any company considering cloud computing, one of the early questions is what information will be Should data in the cloud be hacked, a busi- entrusted to the cloud: Does one allow company trade ness can be certain of the prospects of becoming secrets, employee benefits/medical information, and/ embroiled in class action litigation and insurance or financial information into the cloud? coverage litigation,5 business interruption, a hit to If sensitive information is being considered to be the firm’s good will, remediation costs, customer put into the cloud, then a central question becomes notification costs, government inquiries (both for- the level of due diligence that a firm will perform mal and informal), investigations, litigation brought to ensure that the cloud is both suitable and safe by state attorneys general, and other costs, expenses, to house and manage the data. The level of due and claims. diligence can take many forms, including question- In fairly recent disclosure guidance from naires, attestations, third-party assessment, and on- the US Securities and Exchange Commission site audits. The more sensitive the data in question (SEC), one of its departments identified cer- are, the more comprehensive the due diligence effort tain consequences of cyber-breaches that have must be. As part of this process, firms should also relevance in the context of a cloud-computing consider obtaining from cloud-service companies breach. Registrants who fall victim to successful representations, warranties, insurance, and indem- cyber-attacks may incur substantial costs and suffer nity protection.24
June 2012 J O U R N A L O F I N T E R N E T L AWDATA - S E C U R I T Y S T R AT E G Y their information technology (IT) departments and in-house attorneys to protect data that are created For those considering cloud computing, the data- by the business or entrusted to it by outside entitiessecurity risks described above should lead to a check- and individuals. One of the starting points in thislist. Specifically, due diligence should be performed endeavor is developing a data-security protocol thatto find out how the cloud-computing company erects establishes clear directives regarding the handlingsafety walls between the data stored and processed for of and access to information within the organizationone client versus those supplied by another customer. and to information that might be transmitted outside A checklist of due diligence items will vary from the organization as part of cloud computing. Virtuallycompany to company, but it could include some of the any company will have its own business and employeefollowing efforts: information electronically captured. So too will it have the e-data of its customers, including, often,• Meetings with cloud provider to discuss security account information. strategies. An important step in the risk management• Specific discussions with cloud firms regarding process is to inventory the information possessed their employment of state-of-the-art security and determine its sensitivity. Certain categories of software and techniques. information demand heightened protection, includ-• Establishing clear understandings and obligations ing health information, personally identifying infor- for notices of a security breach. mation of customers and employees, certain types• Reviewing the data-security track records of of nonpublic financial information, trade secrets, those firms under consideration to provide data customer lists, and business processes that yield hosting/management services. competitive advantages. Decisions should be made as• Conducting security audits. to whether this information is to be part of the busi-• Negotiating the right to conduct security audits. nesses’ cloud computing plan or not. If it is, then, as• Seeking the names of references and then inter- noted earlier, due diligence should follow regarding viewing those references as to their experiences the cloud-computing vendor’s security, insurance, and with the cloud firm. indemnification obligations. Once such information is identified for height- Issues regarding indemnification and insurance ened protection, it usually is not enough to simplyshould also be discussed to be prepared in the event guard against external threats of unauthorized access.that a data breach were to occur. Businesses should It is also important to make intelligent decisionsrequire immediate notification of a data breach about internal access to protected classes of informa-should the cloud firm detect one. Businesses should tion—whether being accessed from on-site servers oralso explore whether they would have to disclose to from a cloud firm. Businesses should find out whattheir own customers, employees, and potentially oth- levels of employees within a cloud-computing firmers, that certain data that they might have an interest have access to information. Not surprisingly, somein have been supplied, shared, or transmitted to a cloud-computing firms have several other divisionsthird party for storage or processing. Additionally, and business enterprises. It is important to knowbusinesses may wish to consider whether there are who has access to what categories of information tocertain categories of information that are simply too get a handle on both external and internal hackingsensitive to provide to an external source and, there- threats.fore, must remain off the cloud. For example, it can be risky (and unnecessary) to grant company-wide access to sensitive business infor-R I S K M A N AG E M E N T : mation. Instead, under most circumstances, limitingS A F E G UA R D I N G DATA the access internally to such information based upon necessity and security clearance reduces the risk of Businesses can help make informed decisions unauthorized or improper disclosure of sensitive infor-regarding the extent to which they use cloud comput- mation. With cloud computing, this analysis must being by having risk managers working in tandem with performed on two different levels. 25
J O U R N A L O F I N T E R N E T L AW June 2012 I N S U R A N C E C OV E R AG E reduce cybersecurity risks in the context of the C O N S I D E R AT I O N S industry in which they operate and risks to that security, including threatened attacks of which Insurance coverage is available for losses arising they are aware. from computer fraud or theft under both existing and new stand-alone insurance products. Some of this Consistent with the Regulation S-K Item coverage is quite valuable, but it should never be 503(c) requirements for risk factor disclosures thought of as being “customer-friendly.” generally, cybersecurity risk disclosure provided Policy terms should be closely scrutinized to see must adequately describe the nature of the if the use of cloud computing would alter or reduce material risks and specify how each risk affects coverage. For example, a common feature of recent the registrant. Registrants should not present network security policies involves clauses that pur- risks that could apply to any issuer or any offer- port to condition coverage on the absence of errors or ing and should avoid generic risk factor disclo- omissions in the data-security measures employed by sure.5 Depending on the registrant’s particular the policyholder. Such insurance policy clauses have facts and circumstances, and to the extent the potential to be exploited when insurance compa- material, appropriate disclosures may include: nies argue that a policyholder was somehow derelict in safeguarding computer data from hackers, among • Discussion of aspects of the registrant’s others. Furthermore, some policies may attempt to business or operations that give rise to limit insurance coverage when a data breach occurs material cybersecurity risks and the poten- when a computer is not actively connected to a net- tial costs and consequences; work. Accordingly, policyholders should steer toward • To the extent the registrant outsources selecting insurance policy forms that are devoid of as functions that have material cybersecurity many coverage exclusions (a.k.a. the fine print) as risks, description of those functions and possible. how the registrant addresses those risks; • Description of cyber incidents experienced S E C D I S C L O S U R E G U I DA N C E by the registrant that are individually, or in the aggregate, material, including a As indicated earlier, the SEC has provided guid- description of the costs and other conse- ance to registrants as to what disclosure obligations quences; they may face as a result of their cyber-exposure. In • Risks related to cyber incidents that relevant part: may remain undetected for an extended period; and In determining whether risk factor disclosure is • Description of relevant insurance coverage. required, we expect registrants to evaluate their cybersecurity risks and take into account all A registrant may need to disclose known or available relevant information, including prior threatened cyber incidents to place the dis- cyber incidents and the severity and frequency cussion of cybersecurity risks in context. For of those incidents. As part of this evaluation, example, if a registrant experienced a material registrants should consider the probability of cyber attack in which malware was embedded cyber incidents occurring and the quantita- in its systems and customer data was compro- tive and qualitative magnitude of those risks, mised, it likely would not be sufficient for the including the potential costs and other con- registrant to disclose that there is a risk that sequences resulting from misappropriation of such an attack may occur. Instead, as part of a assets or sensitive information, corruption of broader discussion of malware or other similar data or operational disruption. In evaluat- attacks that pose a particular risk, the registrant ing whether risk factor disclosure should be may need to discuss the occurrence of the spe- provided, registrants should also consider the cific attack and its known and potential costs adequacy of preventative actions taken to and other consequences.726
June 2012 J O U R N A L O F I N T E R N E T L AW One large software and cloud-computing com- other practices we follow may not prevent thepany has disclosed certain cloud-computing perils in improper disclosure of personally identifiableits securities disclosures, as follows: information. Improper disclosure of this infor- mation could harm our reputation, lead to legal Security vulnerabilities in our products and exposure to customers, or subject us to liability services could lead to reduced revenues or to under laws that protect personal data, result- liability claims. Maintaining the security of ing in increased costs or loss of revenue. Our computers and computer networks is a critical software products and services also enable our issue for us and our customers. Hackers develop customers to store and process personal data. and deploy viruses, worms, and other malicious Perceptions that our products or services do software programs that attack our products and not adequately protect the privacy of personal gain access to our networks and data centers. information could inhibit sales of our products Although this is an industry-wide problem or services.9 that affects computers across all platforms, it affects our products in particular because D I R E C TO R S A N D O F F I C E R S hackers tend to focus their efforts on the most INSURANCE CONCERNS popular operating systems and programs and we expect them to continue to do so. We devote The SEC’s guidance relates to what disclosures significant resources to address security vulner- should be made by companies subject to the 1933 abilities through: Securities Act and the 1934 Securities Exchange Act. Corporations must now consider what disclosures • engineering more secure products and ser- specific to cyber-security, and to cloud computing, vices; are appropriate in their securities filings. The new dis- • enhancing security and reliability features closure requirements place added focus on directors in our products and services; and officers (D&O) insurance coverage—both at the • helping our customers make the best use of point of purchase and at the point of claim payment our products and services to protect against should a cyber-loss ensue. computer viruses and other attacks; The SEC identifies several aspects of cyber-perils • improving the deployment of software to be disclosed when applicable. These include an updates to address security vulnerabilities; analysis of potential exposure to a data breach or • investing in mitigation technologies that attack, a discussion of material cyber-incidents, a help to secure customers from attacks description of related legal proceedings, and the even when such software updates are not implications for the firm’s finances. deployed; and The issue of cyber-perils has thus been elevated • providing customers online automated from risk management, legal, and IT departments security tools, published security guidance, to the corporate suite. This will entail far greater and security software such as firewalls and scrutiny from investors as to what is disclosed and anti-virus software.8 the quality of the disclosure—all judged with 20/20 hindsight. D&O underwriters will accordingly find The cloud firm goes on to indicate that: new interest in their customers’ cyber-security issues and preventive measures, and they will likely add Improper disclosure of personal data could new or more-tailored questions concerning both past result in liability and harm our reputation. We cyber-incidents and present plans for curtailing or store and process large amounts of personally preventing data breaches. identifiable information as we sell software, As with any insurance application, it is impera- provide support and offer cloud-based ser- tive to answer these new applications carefully. vices to customers. It is possible that our secu- Policyholders should also be aware that some insur- rity controls over personal data, our training of ance applications are purposefully designed to ask employees and vendors on data security, and overly broad questions that are nothing more than 27
J O U R N A L O F I N T E R N E T L AW June 2012 a snare and a potential coverage fight. Policyholders indemnity and “hold harmless” protection that the should therefore prepare for negotiation over the cloud company will provide should the entrusted data terms of insurance applications. be hacked. Businesses should also insist on represen- Ensuring that D&O coverage will be avail- tations and warranties regarding the level of security able should a cyber-related lawsuit arise that targets employed by the cloud firm to protect the entrusted management is critical to defraying the significant data against hacks from outsiders, other cloud cus- defense and indemnity costs often involved in law- tomers, and even improper internal access of data suits against directors and officers. Thus, added care from within other segments of the cloud-computing must go into reviewing all D&O insurance policy firm. terms and endorsements (including those contained in the primary, excess layer, and Side A policy forms). CONCLUSION It is likely that some insurance companies will try to insert exclusions into D&O policies akin to those Advanced planning and analysis will not only inserted into many specialty Internet policies. Many ease the burden of navigating the SEC’s new pro- of these terms are vague and may lead to sharp dis- nouncements on data security threats, but it will also agreements over their effect on the scope of insurance prepare a business, should a hacking incident occur, coverage for a cyber-related claim. to cope with state notice laws, shareholder litigation, Beyond D&O insurance issues, companies should and inquiries and potential lawsuits from govern- also have an overall cyber-risk management plan that ment authorities, including the SEC, Federal Trade draws from various departments, including financial, Commission (FTC) and state attorneys general. risk management, legal, and IT departments, and at least some senior managers. N OT E S One key step for a business is to build a com- 1. See Joseph Galante, Olga Kharif & Pavel Alpeyev, “Sony Network puter infrastructure with up-to-date security to guard Breach Shows Amazon Cloud’s Appeal for Hackers,” Bloomberg, May 16, 2011, available at www.bloomberg.com/news/2011-05-15 against hackers, malware, and viruses. Plaintiffs, /sony-attack-shows-amazon-s-cloud-service-lures-hackers-at-pennies-an regulators, and insurance companies often seize upon -hour.html. accusations that a business has used obsolete or inef- 2. See Erik Sherman, “The Epsilon Email Break-In: A Bad Break for The Cloud,” CBS News Apr. 5, 2011, available at www.cbsnews. fectual security measures to guard against unauthor- com/8301-505124_162-43449742/the-epsilon-email-break-in-a-bad ized data-access events. -break-for-the-cloud/. A second step is that a business should disclose 3. See Paul Ducklin, “Epsilon Email Address Megaleak Hands Customers’ Customers to Spammers,” Naked Security Apr. 4, the extent of its cloud-computing use to its custom- 2011, nakedsecurity.sophos.com/2011/04/04/epsilon-email-address- ers, partners, suppliers, and other parties who may megaleak-hands-customers-customers-to-spammers/; What Effect transmit or share data to conduct business. While Will the Epsilon Data Theft Have on Cloud Computing?, CloudTweaks, Apr. 13, 2011, cloudtweaks.com/2011/04/what-effect such a disclosure may not be mandatory, it can go -will-the-epsilon-data-theft-have-on-cloud-computing/. a long way toward nullifying certain accusations 4. See Jorgen Wouters, “Massive Hack of Top E-Marketer May Leave by third parties. Also, a business should undertake Millions Open to Phishing Attacks,”Daily Finance, Apr. 4, 2011. 5. See generally, Zurich Am. Ins. Co. v. Sony Corp. of Am., No. (and document) due diligence measures regard- 651982/2011 (S. Ct., N.Y.County.). ing the security employed by the company that is 6. Division of Corporation Finance, Securities and Exchange providing the data hosting or management. It is Commission, CF Disclosure Guidance: Topic No. 2: Cybersecurity, Oct. 13, 2011. important for a business to demonstrate and make a 7. Division of Corporation Finance, Securities and Exchange record that it has been judicious in its entrustment Commission, CF Disclosure Guidance: Topic No. 2: Cybersecurity, of data to any offsite businesses, such as a cloud- Oct. 13, 2011. computing firm. 8. Microsoft Investor Relations, “Risks and Uncertainties,” Item 1A. Risk Factors, http://www.microsoft.com/investor/EarningsAnd A third step, when cloud-computing firms are Financials/Earnings/RisksAndUncertainities/FY11/Q2/RisksAnd utilized, is for a business to make sure that the con- Uncertainties.aspx. tractual agreements expressly set forth the level of 9. Id.28
Copyright of Journal of Internet Law is the property of Aspen Publishers Inc. and its content may not be copiedor emailed to multiple sites or posted to a listserv without the copyright holders express written permission.However, users may print, download, or email articles for individual use.