Cloud Computing Exposures: LJ’s List of What to Watch Out For

As previously discussed, using the cloud can create a variety of new risks and considerations for companies. Here’s a fresh list of items to watch out for based on the following cloud scenario. Note: negligent error or omission is still the greatest exposure a company can face from a professional liability insurance perspective.  Using the cloud only increases this exposure because the cloud is outside the company’s control. 

Scenario

A company decides to use the cloud for its infrastructure, service, storage and phone service.  The cloud provider stores the company’s data overseas. 

Exposures

1.  Transmission of data to servers outside the United States may cause the company to be an exporter under the EAR. This could be a new exposure if the company is not otherwise considered an exporter.  An unintentional violation of the EAR may result in an administrative penalty ranging from $11,000 to $120,000 per violation.

2.  Company is not domiciled in a region normally exposed to catastrophic climate conditions but the cloud provider’s data storage facility is.  The business interruption risk caused by the inclement weather exposure can be new or increased depending upon the location of the company and the cloud. 

3. Cloud provider suffers data breach but fails to notify or provide timely notification of breach.  If company’s confidential information is exposed, including the confidential data of its clients, the cloud provider’s delay can create a burden on the company’s own ability to notify and respond to the breach. Penalties for the company’s failure to provide timely notification to its customers of the breach could apply.

4. Company’s data is lost or corrupted while on the cloud provider’s server.  The terms of the cloud provider contract will mostly likely dictate what level of responsibility the cloud provider will assume for this and to what extent, if any, the company is indemnified for the missing or corrupt data.

5. Company is unable to access data due to problems with cloud provider service resulting in business interruption for company. Business interruption insurance can help transfer this risk. Watch out for policy language limiting coverage to systems that are in the insured’s care, custody and control.

6.  Company decides to pull data back in-house on its own server but the process does not go smoothly.  Migrating data to a different server (or cloud provider) creates an opportunity for lost data and the loss may not be noticed immediately.  Again, the cloud provider contract can determine the terms and responsibilities for the migration. 

This is fourth installment of the LJ’s List of What to Watch Out For.  Check out the Privacy and Security, Tech Professional Liability and the Third-party Security lists.