by Scott Jack
Content Contributor, E-N Computers
7+ years experience in healthcare IT and tech support.
Businesses are adopting cloud services in droves. Over the last decade, the number of businesses using a web application or cloud infrastructure has increased 30%. According to the latest data from market research firm IDC, the cloud computing industry is expected to reach $800 billion by 2025.
Cloud providers promise several benefits including greater flexibility, scalability, efficiency, and low or no upfront costs. Scalability and minimal capital expenditures are particularly appealing to small businesses looking to spread out costs while being ready to grow rapidly. However, there are some drawbacks to relying on the cloud.
Cloud systems give you less control than on-site hardware and software that you own outright. Web apps in particular give you limited, if any, control over backup and security protocols. When data loss or a breach occurs, your recourse depends heavily on the terms of your contract.
Service providers write their contracts to limit their liability. What you expect to receive in damages may be a lot less than what the provider is actually responsible for. Depending on the severity of the breach or loss, your business’s financial security may be threatened.
With that in mind, let’s discuss two categories of damages you’re likely to experience from data loss or breach, the contractual obligations of you and your cloud provider, and how to cover the costs. We’ll start with damages.
QUICK ANSWER:
What’s hiding in your cloud service contracts?
Pay special attention to the limit of liability your vendor has and what you are expected to indemnify them for, if anything. If you have cyber insurance, double-check that your coverage meets your needs.
Table of Contents
Damages
An incident can result in damages that are 1) direct or 2) indirect — consequential — damages. Direct damages are the immediate and expected results of a breach of contract. Indirect damages are not the immediate result of a contract breach nor are they foreseeable. Whether your damages are direct or indirect depends on the specifics of the case.
Consider some examples of direct and indirect damages. A common type of direct damages is what you have paid for the software. Some cloud providers set a cap on direct damages in the contract; it is usually 6 to 12 months of your subscription cost.
On the other hand, lost profits are often considered indirect damages. To limit liability, most contracts say that the provider is not responsible for any indirect damages. However, whether damages are direct or indirect depend on the specific facts of your case. Courts or arbitrators can decide what qualifies as direct, and therefore recoverable, damages.
Caps and exclusions on damages are just two ways providers aim to limit their liability. You should also review the indemnification clause of your SaaS contract closely.
Indemnity
To indemnify someone is to compensate, protect, or insure them against harm from an incident. Traditionally, indemnification is used to protect against third-party claims; with SaaS contracts, it’s also common to have indemnity provisions for both the customer and the vendor. What do vendors expect you to indemnify them for?
SaaS vendors include clauses to indemnify them for risks that customer behavior might bring. For example, they want to be protected in case your data results in an intellectual property claim against them. Similarly, if your company or staff break the law while using their software, they do not want to be liable for that. Also, if you fail to follow their Acceptable Use Policy and do not comply with their security standards, they expect you to cover the cost of any incident that results.
On the other hand, there are situations where you as a customer should seek to be indemnified. For example, you don’t want to be liable if the provider is infringing on intellectual property rights, fails to comply with laws, breaches confidentiality, or does not meet its promised security standards. If their behavior results in a breach, there will be costs to notify your clients and provide necessary remedies.
How are liability and damages decided? For many contracts, the answer is arbitration.
Arbitration
Arbitration is now a common feature of SaaS agreements because it resolves disputes in a faster and more cost-effective manner than litigation through the courts. Your contract should lay out the exact terms of arbitration. In general, though, you can expect the following.
You and the vendor will agree on a panel of arbitrators. The arbitrators will follow rules and fee schedules provided by the American Arbitration Association. These rules streamline the dispute resolution process and avoid a drawn-out legal process. In four months or less, your dispute will be settled without discovery or depositions. Each party will know what costs they are responsible for. The next question, then is: how will you cover the costs related to your incident?
Covering costs
Many businesses are buying cyber insurance to protect themselves financially. It is designed to handle expenses incurred from cyber attacks like business interruption costs, breach notifications, disaster recovery, legal expenses, and direct losses such as electronically stolen funds and ransom payments. You can choose different coverage limits according to your needs.
In a typical policy, you can expect several categories of coverage, each with its own deductible, and deductibles that apply per incident. High risk events like cyber crime will have a lower coverage limit. Even with cyber insurance, you may spend tens of thousands of dollars to meet your deductibles. Your costs will also vary based on the security measures you have in place. More modern insurance carriers even use monitoring tools and artificial intelligence to assign you a risk score that affects your rates.
To get better insurance rates, it’s important to have strong data security measures in place. While a cyber insurance policy will help you mitigate a disaster, good IT policies and procedures can prevent one. Where should you start? Take our free IT Maturity Self-Assessment to point you in the right direction. You’ll also have the opportunity to book a free strategy session with us.
As part of our holistic approach to IT, we have implemented security measures like multi-factor authentication (MFA) and network monitoring for dozens of our clients. We also develop backup and disaster recovery (BDR) plans so that your most critical data is protected in cases of hardware failures or cyber attack. You should have a BDR plan for the data in your SaaS web applications, too; this usually takes additional planning since cloud applications provide limited, if any, control over the backup and recovery process.
E-N Computers is a trusted partner for many companies seeking to build and maintain an up-to-date, secure computer network. We support businesses across a variety of industries including manufacturing, healthcare, law, and accounting. Contact us today to discuss how we can help you!
Next Steps: Learn more about the cloud and cyber insurance
READ: How much does cloud migration cost?
READ: What Is cyber insurance?
Cloud service providers promise a host of benefits that are very appealing to businesses needing flexibility for rapid growth or downsizing, or who want to minimize high capital expenditures. In How much does cloud migration cost? we touch on different aspects of the cloud and cover how to calculate your costs.
The cyber insurance market is reeling from a nearly 300% increase in ransomware attacks and more expensive extortion payments. As a result, premiums are increasing, policy terms are becoming more exact, and expectations are increasing for business that want coverage. Whether you purchase cyber coverage or not, you need to know your company’s risks, develop a plan to mitigate them, and implement information security controls. Doing so now is an investment in your company’s stability and reputation.
Take the IT Maturity Assessment
Is your business ready to weather changes, including employee turnover? Find out by taking our IT maturity assessment.
You’ll get personalized action items that you can use to make improvements right away. Plus, you’ll have the opportunity to book a FREE IT strategy session to get even more insights into your IT needs.
