Classen and McCaw 2012 (†599)Classen, H. Ward, and Andrew McCaw. "Cloud Computing Confidentiality and Data Security in the Cloud: Avoiding Turbulence Through Careful Drafting" Computer and Internet Lawyer 29:12 (December 2012), p. 1-9.
- liability (p.3): A savvy vendor will resist assuming liability for third party breaches and hacking on the basis that no environment is completely safe and that the customer would be liable for these risks if it were hosting the data in the customer’s own environment. A vendor’s willingness to assume this risk will likely be dependent on a number of factors including whether the customer is using a public or private cloud, the type of services purchased by the customer, i.e., Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), pricing and any limitations of liability set forth in the underlying agreement. IaaS is considered to embody less risk to the customer than SaaS as the customer retains less control with SaaS. Similarly, a public cloud is considered to be inherently more risky than a private cloud given the nature of a shared environment. (†1380)
- risk (p.9): Cloud computing offers many advantages to customers but raises concerns related to maintaining the privacy of the customer’s confidential information. A customer’s confidentiality and data security risks can be managed, however, through careful contract drafting and negotiation. While these risks cannot be completely eliminated, there is no reason not to use cloud computing as the benefits of cloud computing far outweigh the risks associated with a carefully negotiated contract. (†1383)
- security (p.3): Data security is typically a customer’s greatest concern when deciding whether to use a vendor’s cloud services. Customers typically assume that the financial liability for loss, misuse, damage or destruction of that data falls to the cloud vendor, but that is not necessarily the case. A vendor’s data security obligations and liabilities are contractually separate and distinct from its confidentiality obligations and those security obligations may transfer to the customer the responsibility of security for that data. (†1381)
- security (p.3): Those vendors unwilling to accept liability without fault usually argue that a customer cannot make its own cloud network environment impervious to hacking and thus the vendor should not be held to a higher standard. ...Why should a vendor be expected to deliver at a level the customer itself is incapable of achieving? Customers, on the other hand, believe that data security is likely to be higher through a third party cloud vendor as the vendor has both the resources to dedicate to that security and the expertise in information technology to detect and confront emerging security threats. In addition, customers rely on the fact that vendors providing cloud services to certain industry sectors know or should know of any mandated minimum standards for data security applicable to those sectors. Accordingly, customers look to the vendor to use the resources and expertise to deliver the services with a higher level protection than the customer is able to achieve itself. (†1382)