Last Friday, July 12, 2024, it was widely reported that AT&T experienced another catastrophic cyber-attack. This material cyber incident affected over 100 million of its wireless customers according to AT&T’s 8-K Filing with the Security Exchange Commission (SEC).[1] The initial cyber-attack was discovered back on or about April 19, 2024, and it involved hackers exfiltrating all of AT&T wireless customer call logs, text messages, and cell site service data from May 1, 2022, to October 31, 2022, from a third-party cloud platform provider.
Snowflake has been identified as the third-party cloud vendor from which hackers exfiltrated the AT&T data. While cloud-solution data storage is one of the services offered by Snowflake, they house some of the most sensitive data for some of the world’s largest companies across all industries including but not limited to – advertising and entertainment, financial services, healthcare and life sciences, manufacturing, public sector, technology and telecom.
It is estimated that around “94% of all companies globally use cloud software currently…” speculating that the pandemic in 2020 caused an increase in remote work and greatly accelerated the movement toward the adoption of cloud technologies.[2] According to Mordor intelligence, the cloud computing market is estimated to be .68 trillion USD in 2024 growing to reach an expected 1.44 trillion USD by 2029.[3]
As a Law Firm that represents companies of all sizes navigate their risk and exposure to safeguarding data from cybercrime – what are the lessons when it comes to implementing cloud solution technologies?
1. Who is Liable for the Data when it is transferred from the Company to the Cloud Provider?
First, it is important to understand that when a company is taking its data that may include Personally Identifiable Information (PII)[4] and transferring it to a cloud environment, liability for that data doesn’t end with that “push” to the cloud. Envision an outsourcing scenario – where you have a customer company that is collecting massive amounts of data from their customers and/ or employees and decides that this data needs to be stored outside of the local network. The Company decides to hire a cloud vendor who is now performing part of the company operations, e.g. storing data that will free up space and resources on local networks and systems. Like the AT&T data breach, Snowflake, the vendor AT&T uses for storing data of their wireless customers has been breached – who is liable? What security protocols are in place? Phone calls are being made to attorneys and cyber insurance providers – the policies, contracts, terms, and conditions must be carefully scrutinized.
In general, the company that initially accepts the data is the “data owner” and will be liable for the cyber breach. However, it is often the case that when a data breach occurs the cloud vendor is sued – they will be sued and may be liable if they are negligent and not keeping up with standard industry practices and procedures when it protection of their client’s data.
2. Contracts between Data Owners and Cloud Technology Providers are Complex and Need Special Considerations.
During contract negotiations, it is extremely common for cloud vendors to try to limit or cap their liability to zero, or as close as they can get. It is important to understand which party is bearing the risk of loss and covered by insurance. Another greatly misunderstood and overlooked contract provision is indemnification which addresses which contracting party is liable if a third party is injured due to the performance of the contract obligations. In the situation of a data breach, does the cloud provider get indemnified by the data owner if a victim of the breach sues? It could also be a situation where the cloud vendor is responsible if they are negligent with respect to handling and protecting the data. The representations and warranties outlined in the contract are important to ensure that the cloud vendor has adequate security measures in place.
3. Don’t Be Caught Without Cyber Insurance.
Cybersecurity Insurance has become a hot commodity as the average cost of a data breach in 2024 is USD 4.5 million.[5] There are common requirements to qualify for cyber insurance coverage that broadly include: strong security controls, multifactor authentication, network security (e.g. firewalls, detection monitoring), encryption of confidential and sensitive data, and security awareness training for users of your network and systems. Given the current landscape of cybercrime, insurance requirements are becoming stricter and more difficult to obtain. Cyber insurance coverage can include covering any loss of data and data recovery measures, loss of revenue to your business if a cyber incident occurs, loss of funds related to ransomware and extortion, and those fees that occur due to a breach such as attorneys fees and victim-related expenses (e.g. credit monitoring).
There are many reasons to work with an experienced cybersecurity firm before a data breach occurs. Certainly, if you receive notification or become aware of a cyber incident, contact counsel right away to mitigate the damages and make sure you are in compliance with all state and federal laws and regulations that pertain to consumer data privacy and protection.
[1] https://otp.tools.investis.com/clients/us/atnt2/sec/sec-show.aspx
[2] Rizvi, Jia, From Startups TO Giants: The Role of The Cloud In Business Growth, Forbes (Feb. 6, 2024, 8:50 PM EST), https://www.forbes.com/sites/jiawertz/2024/02/06/from-startups-to-giants-the-role-of-the-cloud-in-business-growth/.
[3] Mordor Intelligence, Cloud Computing Market Size & Share Analysis – Growth Trends & Forecasts (2024 -2029) https://www.mordorintelligence.com/industry-reports/cloud-computing-market. (last visited Jul. 16, 2024).
[4] Personally Identifiable Information is defined as, “Information that can be used to distinguish or trace an individual’s identity – such as name, social security number, biometric data records – either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.).” FIPS PUB 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-3.pdf
[5] Uncovering the True Cost: Average Cost of a Cybersecurity Breach in 2024, Cybersainik, https://cybersainik.com/average-cost-of-a-cybersecurity-breach/. (last visited 07/16/2024).
[View source.]
