Tuesday, October 13, 2009

Sidekick Episode Provides Real World Example of Cloud Computing Risks

by John L. Watkins

In a prior post, I wrote regarding both the promise of cloud computing, or software as a service, and the very real potential legal issues and conundrums faced by businesses considering moving some or all of their IT services and data to the "cloud." Perhaps the most fundamental issue is responsibility, or, more importantly, lack thereof, for lost data.

Recently, users of the Sidekick phone manufactured by Microsoft's subsidiary Danger experienced a loss of data first hand. According to published reports, contacts and photos stored on the phones were lost due to a server failure. One report indicated that the data was most likely permanently lost. However, as of this writing, T-Mobile, the distributor of the phone, stated on its website that "recent efforts indicate the prospects of recovering some lost content may now be possible." (Updated 10/12/09, 5:15 p.m. P.D.T.) The final outcome remains to be seen.

It is beyond question that many Sidekick users have been, at the least, severely inconvenienced by this event. The event puts in a very real context the possible loss of data by businesses considering using cloud based services. Consider the possible consequences of a catastrophic loss of data a doctor's office, an insurance agency, a law firm, or basically any other business.

As things presently exist, it appears that users of cloud based services may have little in the way of legal remedies. A very quick review of the terms and conditions for two of the best known cloud providers illustrate the issue. The Google Apps Premier Edition Agreement, paragraphs 14.1 and 14.2, disclaims liability for incidental and consequential damages and limits total liability to the amount paid by the customer to Google for services in the preceding twelve (12) months. The Agreement mandates California law and sets the exclusive venue for any dispute to be the courts in Santa Clara, CA. (Paragraph 15.10).

The Master Subscription Agreement for Salesforce.com, which is said to govern the free trial and any subsequent subscription, similarly limits liability, for any single incident, to the lesser of $500,000 or the amounts paid by the customer in the preceding twelve (12) months. (Paragraph 11.1). The Agreement also excludes incidental and consequential damages (Paragraph 11.2). The exclusive venue for litigation (for North American customers) is San Francisco, CA.

I have not researched the enforceability of these limitations under California law, but it is a pretty safe bet that the attorneys who drafted the terms and conditions have done so. Assuming the provisions are enforceable, it means, in common parlance, that a customer experiencing a service interruption or loss of data is out of luck. One prominent commentator, John C. Dvorak, has written that the Sidekick incident may "blow up the cloud," and that the end user license agreements limiting responsibility are the reason.

For a business considering cloud based computing, the Sidekick incident should provide fair warning. Technology is not perfect. Data loss does happen, and there may be no effective remedy. To be fair, this could also happen using a conventional network, and there may be no remedy in that instance as well. However, a business that backs up its data with a simple tape drive system has a pretty reasonable chance of recovering it in the event of a server failure. Any business considering a cloud based approach should, at the very least, have the provider's terms and conditions reviewed so that it can assess the risk it is assuming.

The lawyers who drafted these terms and conditions cannot be faulted: They are doing what lawyers are supposed to do. Sellers often limit liability, and with good reason. However, if machinery, as an example, breaks down, it can be repaired or replaced. The irretrievable loss of data is, at least from a real world perspective, different (the "legalities" may well be the same). Further, the failure of cloud providers to take legal responsibility may limit the widespread adoption of cloud based technology.

Please do not understand this as a blanket rejection of cloud based computing. I love Google's applications (after all, this is being written on Blogger) and have been very impressed by a demonstration of Salesforce. I also am a loyal (perhaps to a fault), T-Mobile customer (BlackBerry, not Sidekick!). Whether I would store critical data or confidential client information in the cloud, however, is another story, at least at this point in time.

I'm just an old lawyer from Atlanta, but it seems to me that if one of these companies were willing to accept some liability for data loss (such as, for example, a guarantee to restore data in a certain period of time or face some real liability), it would eliminate one of the key objections to cloud based technology. If the risk of data loss is truly minuscule, notwithstanding the Sidekick incident, this should be a risk that could be spread over a large user base for an incremental additional cost. It is even possible that an enterprising insurer is developing a product that could serve as a backstop. My guess is there is some money to be made here at a number of levels. Maybe that vendor is out there somewhere in the cloud.

No comments:

Post a Comment