On Monday, July 29, Capital One Financial Corporation (Capital One) announced one of the largest data breaches yet to hit a major bank. The hacker accused of perpetrating the breach, Paige Thompson, once worked as a software engineer at Amazon Web Services (AWS), the cloud services company that hosted Capital One’s breached database.i We don’t yet know whether Thompson’s ability to hack Capital One had anything to do with her former involvement with AWS, but the possibility raises an interesting question:
What happens when your cloud provider causes a data breach? The answer to this question depends in large part on what’s in your contracts with the cloud provider. While large companies like Capital One often have custom negotiated contracts, millions of businesses simply accept their cloud provider’s click-through agreement as offered. So what do those contracts say about what happens when the cloud provider causes a breach because a rogue employee of the cloud provider gains unauthorized access to a customer account? We looked at the click-through agreements for the top two cloud providers in the US and analyzed how this issue might be resolved under each. The results are astonishing.
|Did the provider violate the contract?*||If so, can the customer recover damages?||What it means|
|AWS||Maybe.ii AWS does not promise a lot in its contracts, so there’s not a lot for it to violate.||Probably not.iii In fact, AWS’s
indemnification provision could be construed to require its customers to indemnify AWS against claims brought against AWS by victims of the breach.iv
|Most customers would be pretty out of luck trying to recover damages from AWS, and may even have to defend AWS against lawsuits brought by victims of the breach.|
|Microsoft Azure||Probably.v Microsoft contractually promises that its personnel will not breach its customer’s data.||Probably, but only for direct
damages up to the amount the
customer paid for the services
in the 12 months preceding the
|Customers could probably recover the last 12 months of fees paid to Microsoft and would not have to defend Microsoft against lawsuits brought by victims of the breach.|
*See citations for more detailed analyses.
Sadly, data breaches can be extremely costly to businesses, so being able to recoup the amount of fees paid for the last 12 months of cloud services is not likely to make a business whole. Nonetheless, the possibility of recouping 12 months of fees from Microsoft is clearly better than the possibility of having to defend AWS against damages its employee caused.
About Citizn Company: Citizn Company is a legal technology company in Denver, Colorado that is building tools to help individuals and businesses understand the contracts they sign. Founded by attorneys experienced in reviewing and negotiating contracts, Citizn Company cuts through the legalese that is pervasive in the contracts governing virtually everything we use. By providing concise, plain-language reports on complicated agreements, Citizn Company enables you to understand exactly what your rights and obligations are so you can maximize the value of your contracts. On August 14, 2019, Citizn Company will publish reports analyzing the contracts of the top five cloud service providers, including AWS and Microsoft Azure. We educate our customers on the meanings and differences of certain contract provisions, but we do not provide legal advice. To learn more go to www.citizncompany.com
WE ARE NOT COMMENTING ON OR VERIFYING ANY OF THE ALLEGED FACTS REPORTED BY THE MEDIA INCLUDING WHETHER THE CAPITAL ONE BREACH WAS ACTUALLY CAUSED BY THOMPSON, WHETHER THE HACK WAS ACTUALLY ENABLED OR FACILITATED BY HER EMPLOYMENT RELATIONSHIP WITH AWS, WHETHER AWS IS ACTUALLY LIABLE OR IN ANY WAY RESPONSIBLE FOR THE HACK, WHETHER CAPITAL ONE SIGNED AWS’S STANDARD AGREEMENTS OR SOME OTHER AGREEMENTS, OR ANY OTHER ALLEGED FACTS RELATING TO THE CAPITAL ONE DATA BREACH. OUR RESEARCH AND THESE CONCLUSIONS ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND.
THIS POST IS FOR INFORMATION PURPOSES ONLY AND SHALL IN NO WAY BE CONSTRUED AS LEGAL ADVICE.
For additional information, email or call 520-850-9814.
i See for example, CNN’s coverage.
ii Possible breach of contract claims would include breach of AWS’s contractual commitments (a) not to “access or use” customer’s data except as needed to provide the services (Section 3.2 of AWS Customer Agreement), and (b) to “implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access or disclosure” (Section 3.1 of AWS Customer Agreement).
iii If a customer did have a valid breach of contract claim, it would have to overcome AWS’s disclaimer of all possible liability whatsoever (first sentence of Section 11 of AWS Customer Agreement).
iv The standard AWS indemnification provision requires AWS customers to indemnify AWS against any claims arising from the customer’s “use of the [AWS services]” (Section 9.1 of AWS Customer Agreement).
v Possible breach of contract claims could include breach of Microsoft’s commitments to (a) ensure “that its personnel engaged in the processing of [customer data] and [personal data] (i) will process such data only on instructions from customer, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends (Processor Confidentiality Commitment, Data Protection Terms, Online Services Terms (available by downloading the English version at this link)), and (b) “implement and maintain appropriate technical and organizational measures to protect Customer Data and Personal Data” (Security Practices and Policies, Data Protection Terms, Online Services Terms).
vi We did not find any provisions that would require a customer to indemnify Microsoft in such a circumstance. Furthermore Microsoft allows claims for direct damages up to the amounts paid by the customer for the Microsoft services in the 12 months before the cause of action occurred (Section 6.a of the Microsoft Online Subscription Agreement).
Otto Hanson, JD, MBA
Founder and CEO