Friday, October 30, 2009

Case Study for Legal Risk Management for "CloudComputing": Data Loss for T-Mobile Sidekick® Customers

Telecom providers are increasingly outsourcing IT functions for “cloud computing.” A widespread data loss in mid-October 2009 by an IT outsourcer to a mobile telephony provider underscores the practical limitations of using the Internet as a data storage platform.

In this episode, subscribers to T-Mobile Sidekick® mobile devices were informed that their personal data – contact information, calendars, notes, photographs, notes, to-do lists, high scores in video games and other data – had almost certainly been lost. T-Mobile (a service of Deutsche Telekom AG) had outsourced the management of the “cloud computing” function for the Sidekick® devices to Microsoft’s subsidiary, Danger, Inc. While T-Mobile has offered a $100 freebie in lieu of financial compensation and some data was recovered, the case invites legal analysis of the liability of the any service provider – whether for mobile telephony or enterprise backup and remote storage – for “software as a service” (“SaaS”) or “cloud computing.”

Technological Framework for “Cloud Computing. “ “Cloud computing” means simply that data are processed and stored at a remote location on a service provider’s network, not on the enterprise’s network or a consumer’s home computer. Such data could be any form of digital information, ranging from e-mail messages (such as those stored by Google and Yahoo!) to databases, customer records, personal health information, employee information, company financial information, customer contracts and logistics information.

“Clouds” come in two flavors: public and private.

o In a public cloud, the general principles of the Internet apply, and data transmissions can flow between many
different third-party computers before reaching the service provider’s servers. Amazon offers hardware in variable
computing capacities in its “Elastic Compute Clouds” (or “EC2”) services. Similarly, Google offers an “Apps Engine.”

o In a private cloud, one service provider (alone or with its subcontractors) controls the entire end-to-end transport,
processing, storage and retrieval of data.

Cloud computing exposes users to some key vulnerabilities and added costs:

o The user depends on a high-performance Internet connection. Service level performance cannot be guaranteed
except in private clouds.

o ‘Single points of failure” (“SPOC”) in data transmission, processing and storage, for which special security
measures and redundancy may be required. Heightened security risks require extra resources.

o Loss of control over the public portion of a “public cloud” can impair performance through delays and data loss
resulting from uncontrolled environments.

o Delays in data restoration may occur due to interruptions in data transmissions.

o Business continuity, resumption and data protection require special solutions.

o Passwords could be guessed at using social networking tools, but if the user accounts are maintained internally in
a controlled network, the systems could use techniques to detect and eradicate misuses and abuses from users
based on aberrational access profiles and unauthorized territorial access. In a public cloud, security tools such as
data leak prevention (“DLP”) software, data fingerprinting, data audit trail software and other tools might not be

Such vulnerabilities explain why “cloud computing” needs special controls if used as a platform for providing outsourced services.

In the October 2009 T-Mobile debacle, users relied on the telecom service provider to store and backup the data. Mobile telephony devices (other than laptops) were seen as tools for creating but not storing, significant volumes of data. Remote data storage was a unique selling proposition, or so one thought.

T-Mobile’s Technological Failure. In its website, T-Mobile exposed the technological sources of the failure of its “cloud computing” for mobile devices. It explained:

We have determined that the outage was caused by a system failure that created data loss in the core database and the back-up. We rebuilt the system component by component, recovering data along the way. This careful process has taken a significant amount of time, but was necessary to preserve the integrity of the data.
SOURCE:, Oct. 15, 2009 update.

Mitigating Damages: Public Relations Strategy for Restoring Customer Confidence and Maintaining Brand Goodwill. After some delay, without admitting any liability or damages, T-Mobile adopted a “damage control” strategy adopted from the usual “disaster recovery” process models:

Compensation. It offered any affected customers a $100 gift card for their troubles in addition to a free month of service.

Communication Outbound. It created and updated a Web forum for Sidekick users to get information about the nature of the problems, whether the data loss was irretrievable and the time to resume operations.

Communication Inbound. It provided an e-mail contact address so that it could respond to inquiries and thus identify and counteract rumors that might have been spreading.

Compliance. T-Mobile notified the public media since the “disaster” exposed it to the possibility that more than 5,000 consumers in any particular state might have had their personally identifiable information (“PII”) exposed to unauthorized persons such as hackers. Such notifications (along with other notices to individual customers and designated government officials) are mandated by state law in over 40 states.

Corrections and Control. It focused on remediation first, deferring problem resolution with any claims against its service provider Microsoft’s subsidiary Danger, Inc..

Confidentiality. It kept its communications with its failing provider confidential and focused on remediation.

Escaping Liability for Damages. Generally, telecom service providers disclaim liability in excess of a small amount. Further, service contracts contain exclusions of liability for consequential damages as well as force majeure clauses. Generally, such disclaimers and exclusions are enforceable. However, various legal theories might prevent a service provider from escaping liability for failed service delivery.

Legal Risks for Providers of “Cloud Computing” Services. T-Mobile consumers might assert various legal theories against T-Mobile for damages if their data are not fully restored, or if T-Mobile fails to act promptly and reasonably to mitigate damages to consumers.

False Advertising; Unfair and Deceptive Practices. State and federal laws prohibit false or deceptive advertising and unfair and deceptive practices. Enforcement of these laws is generally restricted to governmental agencies such as the Federal Trade Commission, the Federal Department of Justice and the state Attorneys General. Deception is a term of art and depends on the facts. In this case, the question is how solidly did T-Mobile portray the benefits of “cloud computing,” and did it warn against loss of data. If T-Mobile can show that it warned users of potential data loss and recommended that they back up their own data, such a warning might relieve it from liability. If T-Mobile represented that it would use reasonable security, backup and business continuity services, subscribers with lost data might have a claim of negligence or gross negligence.

Consumer Fraud. Under common law and state consumer protection laws, generally, a fraud occurs when the seller knowingly misleads or makes a false statement of fact to induce the consumer to make a purchase. A massive fraud is subject to a class-action claim in Federal court under Federal Rules of Civil Procedure.

Magnuson-Moss Warranty Act. Normally, an outsourcing services contract is not one that is associated with the maintenance of a product such as a telephone or a computer. If the service provider were also selling any equipment to the customer, and the customer were a “consumer,” and the service provider’s agreed to maintain or repair the consumer product, then the Magnuson-Moss Warranty Act, 15 U.S.C. § 2301 et seq. would apply. This risk explains why sellers of consumer products (mobile telephones) offer only limited warranties. The Magnuson-Moss Warranty Act is probably not a source of potential liability for T-Mobile, but that depends on the customer contracts.

Privacy Violations. Cloud computing providers may become liable to consumers or enterprise customers for failure to comply with applicable privacy statutes. Such statutes protect personal health information (under HIPAA), personal financial information (under the Gramm-Leach-Bliley Act), personally identifiable information (state and federal laws), financial information of a plan fiduciary under ERISA or other or simply confidential information that could be a trade secret or potentially patentable idea of an enterprise or its customers, suppliers or licensors. Export control laws and regulations governing trade in arms and “defense articles” are thus not good candidates for “cloud computing” except for “private clouds.”

Enterprises hiring third-parties to remotely process and manage their operational data are liable to third parties if any protected data is mishandled, depending on the exact wording of the law. Allocation of liability for privacy and security violations is typically a negotiated element of any outsourcing agreement.

Protecting Consumers in Cloud Computing. The legal framework for “cloud computing” needs to be well defined before it can become a reliable business model replacing networks or local workstations. Regardless of disclaimers in consumer contracts, providers of “cloud computing” services will need to adopt reliable, resilient storage backups, disaster recovery and business continuity services. Moreover, when hiring a “cloud computing” service provider (as T-Mobile did when it hired Microsoft/Danger, Inc.), the seller must ensure high standards by its subcontractors. Telecom outsourcing to IT providers requires special technical and legal controls to protect the consumer and the telecom carrier.

1 comment:

  1. Very informative, Bill. As is generally true with technology these days, legal ramifications lag behind innovation.