What Recent Cyberattacks Mean for Cloud Data Privacy Liability

The security industry is digesting President Joseph Biden’s new executive order designed to protect the nation’s cybersecurity networks, which was prompted by a supply chain attack involving SolarWinds and vulnerabilities in Microsoft Exchange. While the implementation will be key—the contractual requirements need to ensure that companies can calibrate their responsibilities while still operating sustainable businesses—the hope is that it will drive the industry toward greater security overall.

The EO follows a spate of more recent attacks—including ransomware attacks on the Colonial Pipeline, a series of health-care providers and Walmart—underscoring the importance of protecting our corporate and critical infrastructure networks.
In addition to assessing security controls, companies should look at their data privacy controls and how expanded cloud use and third-party threats during the pandemic have transformed liability for them.

This is particularly crucial given the growing number of data privacy regulations like General Data Privacy Regulation(GDPR), California Consumer Privacy Act (CCPA), state laws, and, potentially, federal privacy legislation.

Concentration Risk

Most companies that develop software (which is everyone these days) are building their products on top of a larger cloud service provider. This makes them vulnerable to a “downstream supply chain” attack if the provider is compromised.

With only a few viable cloud infrastructure providers, “concentration risk” has become the norm for organizations of all industries who are reliant on a single big cloud provider. As with stock portfolios, diversity lessens the impact if something happens with one of the vendors. Because there are so few cloud infrastructure providers, a successful attacker can hit many customers at once.

As general counsel of a software-as-a-service (SaaS) company, I immediately thought about the liability implications of supply chain attacks when I heard about SolarWinds. Since I’ve been practicing law, the pendulum swing for how businesses think about liability related to data privacy has been extreme.

With on-premise software, you buy it and download it and you would normally see unlimited liability coverage because you didn’t have much data. When I joined Google nearly a decade ago and negotiated Google Cloud enterprise deals, we offered G-suite customers unlimited liability for anything related to privacy and that shifted over the years.

Today, vendors cap liability at 12 times the amount in fees paid. It would be misguided for any cloud company to take greater liability, and customers should be wary of such offers of unlimited liability from vendors.

Accountability Principle

Businesses have to be sure they’re complying with data privacy regulations, not just for their handling of customer data but for data that flows through third-party data processors and their sub- processors—they need to look at the entire processor chain.

GDPR introduced the accountability principle that emphasizes the obligation for SaaS providers to develop, implement and maintain the appropriate technical and organizational measures to keep the data safe. Both vendors and customers are responsible for non-compliance with the obligations of the privacy laws.

When I was representing Google Cloud Platform in contract negotiations, I noticed that financial institutions were ahead of the curve in managing risk. They understood early the need to stay abreast of the threats to the security and privacy of customer data.

The Target breach of 2013, in which 40 million credit and debit card accounts were compromised via a supply chain attack involving an HVAC vendor, may have been a learning moment for the industry overall. They conduct early and thorough investigations into every prospective vendor’s supply chain before closing a deal.

I’d never seen any other enterprise customer be so diligent about understanding supply-chain risks like that until now, with the advent of GDPR and CCPA, and I think it has been one of the key learnings in my career.

The cloud data privacy compliance issues have never been more important than in a post-pandemic world where organizations were forced to accelerate their cloud migrations seemingly overnight. Attacks in the cloud are increasing. A recent McAfee study found that there were more than 3 million attacks last year on cloud-based accounts.

Best Practices to Protect Against Supply Chain Risks

Here are some best practices to help protect data from supply chain risks associated with cloud service providers:

• Look at the whole supply chain and make sure that the other providers involved in the data processing are able to provide sufficient guarantees that they are implementing the appropriate security and privacy safeguards and that the data is used and processed for the identified purpose only.
• Scrutinize sub-processors carefully, including their expertise, reliability and resources. Sub-processors may not have a contract with the data controller—the company that is the original owner or receiver of the data—so it is the processor’s obligation to ensure GDPR compliance by sub-processors.
• Use a well-defined shared responsibility model. Regardless of the type of cloud provider—SaaS, infrastructure-as-a-service or platform-as-a-service—having a detailed agreement that outlines the responsibility of each party with each cloud service provider will help mitigate risks associated with the use of cloud services.
• Follow a privacy-by-design approach. Lawyers need to work closely with their product and engineering teams to embed privacy into the design of their products and services. They need to understand what third party components are integrated into the service in order to stand by the integrity and compliance of the product.

The growing number of cloud-based attacks confirm the importance of conducting thorough third-party risk assessments and classifying third parties that have privileged access to data as critical vendors more vigorously. Because supply chain attacks can affect any company, great efforts to cooperate and be more transparent could help limit the spread of cybersecurity breaches.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Write for Us: Author Guidelines

Author Information

Shana Simmons is the general counsel of Everlaw Inc., a collaborative, cloud-based ediscovery and investigation platform for corporate counsels, litigators, and government attorneys. Prior to Everlaw, she was at Google leading teams that supported Google Cloud’s growth and success in new markets around the world.