When the Cloud Turns Dark: A Tale of Data Held Hostage?

Imagine turning on your computer and as it boots up, a dark screen appears with a law enforcement logo (think “FBI”) at the top of the pop-up box with “Warning—Law Enforcement Agencies are investigating you because your computer has been used for criminal activity including violations of copyright laws by downloading pirated software.”

You are told that access to your computer will be blocked until you pay the fine noted in the pop-up box. And to make it seem even more menacing, the pop-up box displays your computer’s IP address and there is a blurry video of what looks like you working on your computer (giving you the impression that you are being watched through your own webcam).

Of course, you are free to ignore the threat but the malware will lock you out of your computer. You could pay money, but can you trust someone to keep their word when they are holding your computer hostage?

This is not script for a sequel to Mel Gibson’s 1996 kidnapping thriller “Ransom;” this is a specific malware, that started showing up with greater frequency in 2012. It has the label Ransomware or Scareware. You want access to you data so what do you do? Are you really being held hostage or is this just a joke?

The amount of electronic information in the universe is doubling every two years and securely managing that data has become a top priority. While having 24/7 access and control over your personal data is a high priority, many users have discovered the significant advantages of storing your data remotely or in the cloud that do not exist when you store your data locally.

Indeed, according to a recent survey, cloud computing is scheduled to surpass local on-site storage in the legal industry in the near future. Why? Because the benefits are significant—on-demand connectivity, business continuity, flexibility, scalability, and reduced costs, to name a few.

However, there is a dark side to the cloud. There are a number of serious risks in storing data in the cloud, and the two largest risks––security and access—are almost impossible to address adequately.

Following the theory that people rob banks because that is where the money is, hackers rob the cloud because that is where the data is. Hackers are targeting corporations, universities, and governmental agencies to steal confidential and sensitive data.

Cloud service providers are not immune from such interruptions of service either. Recently, Amazon’s Elastic Block Store service, which is a part of Amazon’s “infrastructure as a service” cloud computing service offering, was hacked causing a substantial service interruption and knocking a number of sites partially or totally offline for a period of time. Data theft and security breaches are akin to bank robberies—especially if you’re a CIO or CISO.

Worst Case Scenario.

So what do you do if you are the CIO or CISO and you want to take advantages of some of the benefits offered by cloud storage? You do your due diligence, make an informed and reasoned decision, trust your instincts, take a little leap of faith and hope it works out. After all what is the worst thing that could happen?

On January 22, 2013, we found out. The “proverbial data hit the computing cooling fan,” when a global pharmaceutical and healthcare company filed a lawsuit against its e-discovery vendor and cloud computing provider for allegedly holding 20 terabytes of data “hostage,” threatening to withhold and destroy the data unless an $80,000 payment—characterized by the plaintiff as “ransom”—was paid (GlaxoSmithKline LLLC v. Discovery Works Legal Inc., Index No. 650210/2013, N.Y. Sup. Ct., complaint filed Jan. 22, 2013).

GlaxoSmithKline LLC (“GSK”), filed suit against Discovery Works Legal, Inc. (“DWL”), and its CEO, Harry Debari (“Debari”) in the Supreme Court of the State of New York seeking injunctive relief enjoining the defendants from “destroying, purging, deleting or in any other way harming GSK’s confidential information … .”

GSK is also asking for the immediate return of its data and an accounting of GSK’s data including the whereabouts of that data. In terms of damages, GSK is seeking compensatory and punitive damages for defendants’ “gross, wanton, deliberate and morally culpable misconduct.”

Background.

According to the complaint filed by GSK, in 2007, GSK entered into a General Services Agreement (“agreement”) with DWL for DWL to provide certain litigation support services to GSK including document scanning and processing.

Pursuant to the agreement, GSK would provide DWL with:

• (i) unprocessed, native electronic data collected from GSK’s systems, which included copies of employees’ hard drives and server repositories (the “Gross Data”), for DWL to filter, deduplicate and process into an electronic format (the “Processed Data”); and
• (ii) electronic data that GSK had deduplicated and filtered in-house (the “Filtered Data”).

All of this data was then sent to other service providers for subsequent review. DWL kept the originally received Gross Data and Filtered Data on its network storage platforms, along with a copy of the Processed Data that it sent to other providers.

Importantly, DWL also generated and maintained unique indices and reports concerning the manner in which the Gross Data and Filtered Data were processed, which link the review databases (used in the various GSK legal proceedings for which DWL has provided support) back to the native files.

GSK Builds Protection and Safeguards Into Agreement.

The parties negotiated and entered into an agreement that contained a number of important provisions to act as safeguards for GSK’s data with respect to several key issues—ownership, treatment, accounting for, and return of the data.

GSK required DWL to make representations as to the adequacy of capability and resources that it had. Moreover, DWL was required to keep GSK’s data strictly confidential and use it only to perform the work dictated by GSK under the agreement.

The agreement also provided that if GSK asked for its data to be returned, DWL would immediately return the data and account for all of GSK’s data. The agreement even contained a broad indemnification provision whereby DWL would indemnify GSK for its losses in connection with DWL’s misconduct and breaches under the agreement, including any failure to comply with confidentiality obligations.

Notably, there was no provision in the agreement that GSK had to pay to get any of its data back from DWL.

For example, Sections 11.1 and 11.2 of the Agreement addressed confidential property:

[DWL] agrees that any and all data, reports, specifications, computer programs or models and related documentation, business or research plans of GSK or its Affiliates or third parties and any other documents or information furnished to [DWL], or to which [DWL] is given access, by GSK in connection with the performance of this Agreement, shall be deemed to be the confidential property of GSK (“Confidential Information”).

*****

GSK is willing to disclose Confidential Information to [DWL] on the following terms: (a) [DWL] shall receive, maintain, and hold the Confidential Information in strict confidence; and (b) [DWL] shall not utilize Confidential Information, other than for performance hereunder;

Section 11.4 addressed DWL’s obligations to return GSK’s data upon demand:

At any time upon the request of GSK, the Confidential Information, including any copies, shall be returned to GSK, and (ii) all other embodiments of the Confidential Information in the possession of [DWL], including all copies and/or any other form or reproduction thereof made by [DWL], shall, at GSK’s option, be returned to GSK or destroyed.

Section 14.1 provided GSK with indemnification protection:

[DWL] shall defend, indemnify and hold harmless GSK … from and against any and all liabilities, claims, suits, actions, losses, costs, reasonable attorneys’ fees and expenses, judgments or damages, whether ordinary, special or consequential, arising out of or in any way connected with [DWL], and/or its officers, employees, agents, representatives, contractors, subcontractors or invitees: … (b) acts, omissions, negligence, misconduct, or dishonesty in connection with the performance hereunder; (c) breach of a representation, warranty and/or covenant, or failure to perform its obligations hereunder; … [and] (e) failure to comply with the confidentiality obligations set forth herein.

A Smooth Ride and Then the Crash.

From 2007 through 2011, it appears that the relationship between GSK and DWL worked well. GSK sent DWL an estimated 20 to 50 terabytes or between 150 and 375 million pages of GSK’s privileged, confidential, and proprietary information consisting of non-public research and development information, trade secrets, contracting and pricing information, patent portfolio data, senior executive communications, pricing and contracting information, raw sales data, and private and personal information concerning GSK employees and third parties.

There were no reports of any problems until 2011, when GSK became concerned because it heard rumors that DWL was encountering financial difficulties and having trouble paying its creditors. Over a relatively short period of time, GSK’s concerns escalated to the point that GSK felt that it had to take drastic steps to safeguard all of its data.

In September 2011, GSK confronted DWL and asked first for a report listing all of GSK’s data and then for DWL to return that data to GSK in accordance with the terms of the contract. DWL told GSK that it maintained accurate records and that it would comply with the request. Unfortunately, it never returned the data.

As reports of DWL’s instability increased, GSK ramped up its efforts to get its data back but to no avail. Finally, instead of giving GSK its data back, according to the complaint, DWL sent GSK a threatening note demanding a “ransom” of $50,000—including an up-front payment of $25,000.

After more failed negotiations, DWL sent an email on Jan. 2, 2013, which said: “Please advise if you are still interested in proceeding? In the absence of a response, we are in process of purging all closed matter data, and will purge all GSK data in our possession.”

In addition, while DWL told GSK that it had in excess of 20 terabytes of GSK’s data, it refused to say where GSK’s data was located. When GSK pressed DWL for more details about the data, DWL said “that part of DWL is going to be “defunct” and that, unless GSK paid the money demanded immediately, it would delete all of the GSK data.

Further attempts by GSK personnel and its lawyers to reach an agreement with DWL only resulted in DWL ramping up the rhetoric and accusing GSK of “malfeasance,” “skullduggery,” and “harassment,” and telling GSK “bombs away.”

DWL then increased its demand to $80,000 —including an advance payment of $55,000 of which $30,000 would go to Debari as a consulting charge. It was at this point that GSK apparently felt that it had no choice but to file a complaint in New York state court for injunctive relief and damages.

The complaint reveals the level of GSK’s frustration and the overwhelming risk that GSK was facing:

[G]iven Mr. Debari’s irrational and erratic behavior, GSK has no adequate assurances, and no reason to believe, that he will not take GSK’s money and simply walk away from the data and its repositories and leave it dispersed, unaccounted for and in the hands of whomever takes over those servers/repositories. Mr. Debari has already stated that Defendants have only ‘limited resources’ and soon ‘will not have the resources available’ to do the work required. In short, GSK can have no confidence that Mr. Debari and his ‘defunct’ company will account for, safeguard and retrieve GSK’s data without immediate court order—no matter how much ransom money GSK pays.

******

If disclosed, the genie could not be put back in the bottle. GSK would suffer massive competitive harm if for example, its trade secrets and proprietary information being [sic] exposed to its competitors. It would also be severely harmed if its privileged communications were exposed to its adversaries in litigations. The potential adverse impact on GSK and the company’s business, goodwill and reputation cannot be adequately calculated or compensated in damages—in particular from Defendants, who have shown themselves to be unstable.

Complaint at ¶ ¶  56, 61.

Takeaway.

It is important to repeat that we have only heard one side of the story, so it will be interesting to see what develops and if GSK could have done anything more in negotiating the contract with DWL to protect its data.

The literature on cloud computing identifies a number of critical steps in arranging for cloud computing services.

First, it is imperative that the service contract contain as many safeguards as possible for the protection of the data that is being stored including backup plans and “worst case scenarios.”

Second, the data owner has to do its due diligence and achieve a level of trust with the cloud service provider that the provider can protect the data that is being stored with it for the length of the contract.

By all appearances, the GSK/DWL agreement at issue addressed all of those risks. And yet they still end up fighting about the data.

One thing is clear, in the cloud, you have to be comfortable with the amount and nature of the data that you are putting in the cloud—and by extension putting at risk—because as this situation makes very clear, data in the cloud is outside of your control.