A major technological trend these days is cloud computing. Many businesses find themselves faced with the key decision of whether to embrace this technology and migrate their data (and some-

times the data of their customers) to a professional “cloud” firm to host and manage this data. While many companies are intrigued with the savings prom-ised by sending their information to the cloud, money alone should not be allowed to dictate this decision. Just like any other online endeavor, cloud computing is not without risks—many of which are significant.

CLOUD PERILS

When cloud computing goes as planned, it can be an efficient way to outsource a significant part of a business’ management of electronically captured information. It may also yield savings, as do other out-sourcing strategies. When cloud computing

goes “off the rails,” however, the consequences can be devastating.

Take, for example, a massive cloud-computing breach that occurred in 2011. The cloud security breach affected one of the largest entertainment and electronics companies in the world, its custom-ers, and one of the largest cloud-services firms—all at once. 1 Specifically, the entertainment firm had entrusted data to a cloud-computing company that was in turn infiltrated by computer hackers. According to reports of the incident, approximately

Continued on page 24

E D I T E D B Y D L A P I P E R

J UNE 2 012

V O L U M E 1 5

N U M B E R 1 2

PROTECTION IN THE CLOUD: RISK MANAGEMENT AND INSURANCE FOR

CLOUD COMPUTING By Joshua Gold

INTERNET LAW

PROTECTION IN THE CLOUD: RISK MANAGEMENT AND INSURANCE FOR CLOUD COMPUTING . . . . . 1By Joshua Gold

CYBER-TERRITORY AND JURISDICTION OF NATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 By Georgios I. Zekos

ON DOMAIN NAMES AND TRADEMARKS . . . . . . . . .29By Ana Racki Marinkovic

JOURNAL O F

Joshua Gold is a shareholder at Anderson Kill & Olick, P.C. in New York, NY. Mr. Gold regularly represents policyholders, including gaming and hospitality businesses, software companies, and retailers, in insurance coverage matters and disputes concerning contracts, liability, arbitration, time element insurance, electronic data, and related property-casualty insurance coverage issues. He can be reached at jgold@andersonkill.com.

24

J O U R N A L O F I N T E R N E T L A W J u n e 2 0 1 2

100 million customer account files (including credit and debit card information) were compromised when the hackers infiltrated the cloud site and improperly accessed the sensitive account information. What was unique in this situation is that the hackers actually had a legitimate account set up with the cloud-computing site (albeit with phony identifying information and fraudulent intentions), as opposed to hackers who anonymously hack into other networks or systems.

Another cloud-security breach involved a com-pany that provides e-mail services 2 to other busi-nesses and handles more than 40 billion e-mails annually for more than “2,000 global brands.” 3 In a 2011 statement issued after the breach, the hacked company indicated that “clients’ customer data were exposed by an unauthorized entry into [the company’s] email system. The information that was obtained was limited to email addresses and/or cus-tomer names only.” 4

Among the company’s customers are three of the top ten US banks, as well as other financial institu-tions. After the breach, numerous customers of the e-mail services company sent warnings to their own customers alerting them to the existence of the stolen information.

LOSSES, LITIGATION, AND LACK

OF CONFIDENCE

Should data in the cloud be hacked, a busi-ness can be certain of the prospects of becoming embroiled in class action litigation and insurance coverage litigation, 5 business interruption, a hit to the firm’s good will, remediation costs, customer notification costs, government inquiries (both for-mal and informal), investigations, litigation brought by state attorneys general, and other costs, expenses, and claims.

In fairly recent disclosure guidance from the US Securities and Exchange Commission (SEC), one of its departments identified cer-tain consequences of cyber-breaches that have relevance in the context of a cloud-computing breach. Registrants who fall victim to successful cyber-attacks may incur substantial costs and suffer

other negative consequences, which may include, but are not limited to:

• Remediation costs that may include liability for stolen assets or information and for repair-ing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after a cyber-attack.

• Increased cyber-security protection costs that may be incurred from organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third-party experts and consultants.

• Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following a cyber-attack.

• Litigation. • Reputational damage adversely affecting cus-

tomer or investor confidence. 6

Today, for just about any company, a cloud-computing breach means facing financial fraud loss, privacy invasion claims, business interruption, loss of good will, and litigation, including class action litigation.

CATEGORIES OF DATA

ON THE CLOUD

For any company considering cloud computing, one of the early questions is what information will be entrusted to the cloud: Does one allow company trade secrets, employee benefits/medical information, and/or financial information into the cloud?

If sensitive information is being considered to be put into the cloud, then a central question becomes the level of due diligence that a firm will perform to ensure that the cloud is both suitable and safe to house and manage the data. The level of due diligence can take many forms, including question-naires, attestations, third-party assessment, and on-site audits. The more sensitive the data in question are, the more comprehensive the due diligence effort must be. As part of this process, firms should also consider obtaining from cloud-service companies representations, warranties, insurance, and indem-nity protection.

Protection in the CloudContinued from page 1

25

J u n e 2 0 1 2 J O U R N A L O F I N T E R N E T L A W

DATA-SECURITY STRATEGY

For those considering cloud computing, the data-security risks described above should lead to a check-list. Specifically, due diligence should be performed to find out how the cloud-computing company erects safety walls between the data stored and processed for one client versus those supplied by another customer.

A checklist of due diligence items will vary from company to company, but it could include some of the following efforts:

• Meetings with cloud provider to discuss security strategies.

• Specific discussions with cloud firms regarding their employment of state-of-the-art security software and techniques.

• Establishing clear understandings and obligations for notices of a security breach.

• Reviewing the data-security track records of those firms under consideration to provide data hosting/management services.

• Conducting security audits. • Negotiating the right to conduct security audits. • Seeking the names of references and then inter-

viewing those references as to their experiences with the cloud firm.

Issues regarding indemnification and insurance should also be discussed to be prepared in the event that a data breach were to occur. Businesses should require immediate notification of a data breach should the cloud firm detect one. Businesses should also explore whether they would have to disclose to their own customers, employees, and potentially oth-ers, that certain data that they might have an interest in have been supplied, shared, or transmitted to a third party for storage or processing. Additionally, businesses may wish to consider whether there are certain categories of information that are simply too sensitive to provide to an external source and, there-fore, must remain off the cloud.

RISK MANAGEMENT:

SAFEGUARDING DATA

Businesses can help make informed decisions regarding the extent to which they use cloud comput-ing by having risk managers working in tandem with

their information technology (IT) departments and in-house attorneys to protect data that are created by the business or entrusted to it by outside entities and individuals. One of the starting points in this endeavor is developing a data-security protocol that establishes clear directives regarding the handling of and access to information within the organization and to information that might be transmitted outside the organization as part of cloud computing. Virtually any company will have its own business and employee information electronically captured. So too will it have the e-data of its customers, including, often, account information.

An important step in the risk management process is to inventory the information possessed and determine its sensitivity. Certain categories of information demand heightened protection, includ-ing health information, personally identifying infor-mation of customers and employees, certain types of nonpublic financial information, trade secrets, customer lists, and business processes that yield competitive advantages. Decisions should be made as to whether this information is to be part of the busi-nesses’ cloud computing plan or not. If it is, then, as noted earlier, due diligence should follow regarding the cloud-computing vendor’s security, insurance, and indemnification obligations.

Once such information is identified for height-ened protection, it usually is not enough to simply guard against external threats of unauthorized access. It is also important to make intelligent decisions about internal access to protected classes of informa-tion—whether being accessed from on-site servers or from a cloud firm. Businesses should find out what levels of employees within a cloud-computing firm have access to information. Not surprisingly, some cloud-computing firms have several other divisions and business enterprises. It is important to know who has access to what categories of information to get a handle on both external and internal hacking threats.

For example, it can be risky (and unnecessary) to grant company-wide access to sensitive business infor-mation. Instead, under most circumstances, limiting the access internally to such information based upon necessity and security clearance reduces the risk of unauthorized or improper disclosure of sensitive infor-mation. With cloud computing, this analysis must be performed on two different levels.

26

J O U R N A L O F I N T E R N E T L A W J u n e 2 0 1 2

INSURANCE COVERAGE

CONSIDERATIONS

Insurance coverage is available for losses arising from computer fraud or theft under both existing and new stand-alone insurance products. Some of this coverage is quite valuable, but it should never be thought of as being “customer-friendly.”

Policy terms should be closely scrutinized to see if the use of cloud computing would alter or reduce coverage. For example, a common feature of recent network security policies involves clauses that pur-port to condition coverage on the absence of errors or omissions in the data-security measures employed by the policyholder. Such insurance policy clauses have the potential to be exploited when insurance compa-nies argue that a policyholder was somehow derelict in safeguarding computer data from hackers, among others. Furthermore, some policies may attempt to limit insurance coverage when a data breach occurs when a computer is not actively connected to a net-work. Accordingly, policyholders should steer toward selecting insurance policy forms that are devoid of as many coverage exclusions (a.k.a. the fine print) as possible.

SEC DISCLOSURE GUIDANCE

As indicated earlier, the SEC has provided guid-ance to registrants as to what disclosure obligations they may face as a result of their cyber-exposure. In relevant part:

In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantita-tive and qualitative magnitude of those risks, including the potential costs and other con-sequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. In evaluat-ing whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to

reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.

Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant. Registrants should not present risks that could apply to any issuer or any offer-ing and should avoid generic risk factor disclo-sure. 5 Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:

• Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the poten-tial costs and consequences;

• To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;

• Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other conse-quences;

• Risks related to cyber incidents that may  remain undetected for an extended period; and

• Description of relevant insurance coverage.

A registrant may need to disclose known or threatened cyber incidents to place the dis-cussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compro-mised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the spe-cific attack and its known and potential costs and other consequences. 7

27

J u n e 2 0 1 2 J O U R N A L O F I N T E R N E T L A W

One large software and cloud-computing com-pany has disclosed certain cloud-computing perils in its securities disclosures, as follows:

Security vulnerabilities in our products and services could lead to reduced revenues or to liability claims. Maintaining the security of computers and computer networks is a critical issue for us and our customers. Hackers develop and deploy viruses, worms, and other malicious software programs that attack our products and gain access to our networks and data centers. Although this is an industry-wide problem that affects computers across all platforms, it affects our products in particular because hackers tend to focus their efforts on the most popular operating systems and programs and we expect them to continue to do so. We devote significant resources to address security vulner-abilities through:

• engineering more secure products and ser-vices;

• enhancing security and reliability features in our products and services;

• helping our customers make the best use of our products and services to protect against computer viruses and other attacks;

• improving the deployment of software updates to address security vulnerabilities;

• investing in mitigation technologies that help to secure customers from attacks even when such software updates are not deployed; and

• providing customers online automated security tools, published security guidance, and security software such as firewalls and anti-virus software. 8

The cloud firm goes on to indicate that:

Improper disclosure of personal data could result in liability and harm our reputation. We store and process large amounts of personally identifiable information as we sell software, provide support and offer cloud-based ser-vices to customers. It is possible that our secu-rity controls over personal data, our training of employees and vendors on data security, and

other practices we follow may not prevent the improper disclosure of personally identifiable information. Improper disclosure of this infor-mation could harm our reputation, lead to legal exposure to customers, or subject us to liability under laws that protect personal data, result-ing in increased costs or loss of revenue. Our software products and services also enable our customers to store and process personal data. Perceptions that our products or services do not adequately protect the privacy of personal information could inhibit sales of our products or services. 9

DIRECTORS AND OFFICERS

INSURANCE CONCERNS

The SEC’s guidance relates to what disclosures should be made by companies subject to the 1933 Securities Act and the 1934 Securities Exchange Act. Corporations must now consider what disclosures specific to cyber-security, and to cloud computing, are appropriate in their securities filings. The new dis-closure requirements place added focus on directors and officers (D&O) insurance coverage—both at the point of purchase and at the point of claim payment should a cyber-loss ensue.

The SEC identifies several aspects of cyber-perils to be disclosed when applicable. These include an analysis of potential exposure to a data breach or attack, a discussion of material cyber-incidents, a description of related legal proceedings, and the implications for the firm’s finances.

The issue of cyber-perils has thus been elevated from risk management, legal, and IT departments to the corporate suite. This will entail far greater scrutiny from investors as to what is disclosed and the quality of the disclosure—all judged with 20/20 hindsight. D&O underwriters will accordingly find new interest in their customers’ cyber-security issues and preventive measures, and they will likely add new or more-tailored questions concerning both past cyber-incidents and present plans for curtailing or preventing data breaches.

As with any insurance application, it is impera-tive to answer these new applications carefully. Policyholders should also be aware that some insur-ance applications are purposefully designed to ask overly broad questions that are nothing more than

28

J O U R N A L O F I N T E R N E T L A W J u n e 2 0 1 2

a snare and a potential coverage fight. Policyholders should therefore prepare for negotiation over the terms of insurance applications.

Ensuring that D&O coverage will be avail-able should a cyber-related lawsuit arise that targets management is critical to defraying the significant defense and indemnity costs often involved in law-suits against directors and officers. Thus, added care must go into reviewing all D&O insurance policy terms and endorsements (including those contained in the primary, excess layer, and Side A policy forms). It is likely that some insurance companies will try to insert exclusions into D&O policies akin to those inserted into many specialty Internet policies. Many of these terms are vague and may lead to sharp dis-agreements over their effect on the scope of insurance coverage for a cyber-related claim.

Beyond D&O insurance issues, companies should also have an overall cyber-risk management plan that draws from various departments, including financial, risk management, legal, and IT departments, and at least some senior managers.

One key step for a business is to build a com-puter infrastructure with up-to-date security to guard against hackers, malware, and viruses. Plaintiffs, regulators, and insurance companies often seize upon accusations that a business has used obsolete or inef-fectual security measures to guard against unauthor-ized data-access events.

A second step is that a business should disclose the extent of its cloud-computing use to its custom-ers, partners, suppliers, and other parties who may transmit or share data to conduct business. While such a disclosure may not be mandatory, it can go a long way toward nullifying certain accusations by third parties. Also, a business should undertake (and document) due diligence measures regard-ing the security employed by the company that is providing the data hosting or management. It is important for a business to demonstrate and make a record that it has been judicious in its entrustment of data to any offsite businesses, such as a cloud-computing firm.

A third step, when cloud-computing firms are utilized, is for a business to make sure that the con-tractual agreements expressly set forth the level of

indemnity and “hold harmless” protection that the cloud company will provide should the entrusted data be hacked. Businesses should also insist on represen-tations and warranties regarding the level of security employed by the cloud firm to protect the entrusted data against hacks from outsiders, other cloud cus-tomers, and even improper internal access of data from within other segments of the cloud-computing firm.

CONCLUSION

Advanced planning and analysis will not only ease the burden of navigating the SEC’s new pro-nouncements on data security threats, but it will also prepare a business, should a hacking incident occur, to cope with state notice laws, shareholder litigation, and inquiries and potential lawsuits from govern-ment authorities, including the SEC, Federal Trade Commission (FTC) and state attorneys general.

NOTES

1. See Joseph Galante, Olga Kharif & Pavel Alpeyev, “ Sony Network Breach Shows Amazon Cloud’s Appeal for Hackers,” Bloomberg, May 16, 2011, available at www.bloomberg.com/news/2011-05-15/sony-attack-shows-amazon-s-cloud-service-lures-hackers-at-pennies-an-hour.html.

2. See Erik Sherman, “The Epsilon Email Break-In: A Bad Break for The Cloud,” CBS News Apr. 5, 2011, available at www.cbsnews.com/8301-505124_162-43449742/the-epsilon-email-break-in-a-bad-break-for-the-cloud/.

3. See Paul Ducklin, “Epsilon Email Address Megaleak Hands Customers’ Customers to Spammers,” Naked Security Apr. 4, 2011 , nakedsecurity.sophos.com/2011/04/04/epsilon-email-address-megaleak-hands-customers-customers-to-spammers/ ; What Effect Will the Epsilon Data Theft Have on Cloud Computing?, CloudTweaks , Apr. 13, 2011, cloudtweaks.com/2011/04/what-effect-will-the-epsilon-data-theft-have-on-cloud-computing/.

4. See Jorgen Wouters, “Massive Hack of Top E-Marketer May Leave Millions Open to Phishing Attacks,” Daily Finance , Apr. 4, 2011.

5. See generally, Zurich Am. Ins. Co. v. Sony Corp. of Am., No. 651982/2011 (S. Ct., N.Y.County.).

6. Division of Corporation Finance, Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2: Cybersecurity, Oct. 13, 2011.

7. Division of Corporation Finance, Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2: Cybersecurity, Oct. 13, 2011.

8. Microsoft Investor Relations, “Risks and Uncertainties,” Item 1A. Risk Factors, http://www.microsoft.com/investor/EarningsAndFinancials/Earnings/RisksAndUncertainities/FY11/Q2/RisksAndUncertainties.aspx.

9. Id .

Copyright of Journal of Internet Law is the property of Aspen Publishers Inc. and its content may not be copied

or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission.

However, users may print, download, or email articles for individual use.