Data in the Cloud: Cyber-Security, Legal, and Financial Considerations
Cloud Benefits and Costs
An annual study by IBM and Ponemon Institute (the “Study”) reviews and reports the average costs associated with data breaches and how different technologies, industries, or preventative measures affect the average. The Study reports averages based on a “per-record” basis. A “record” can be any data point, which contains personal information as defined by state or a federal statute. For example, names, dates of birth, driver’s license number, credit or debit card numbers, can all be records. The Study estimates the current response cost at $250 per record for a US based company. Thus, the loss of a single driver’s license number would cost a company $250 for investigation and notification expenses while loss of 10,000 records would cost a company on average $2,500,000.
Companies often mitigate the risk of a data breach by outsourcing the protection of their data to third-party providers such as cloud serve providers. Many firms have moved all or part of their data to cloud service providers to mitigate or completely transfer their risk. In addition to the managing risk, cloud service providers help save companies money with an increase in technology efficiencies and an increase in security expertise.
But use of cloud services may increase legal and financial risks for companies as well. Data service agreements with a cloud provider may allow them to use or mine your data for their own purposes, such as advertising or marketing. Further, data service agreements may limit a company’s recourse against the provider for a data breach. Finally, data service agreements may also allow the cloud provider to store your information in less expensive cloud servers overseas where you may lose control of the data and/or your legal recourses against the cloud provider.
While companies may benefit financially from economies of scale in using a cloud provider, the costs to recover from a cloud data breach are greatly increased. The Study noted that extensive cloud migration will increase data breach response costs by approximately $11 per record. The response cost increases are due to the complexity of the cyber investigation of a cloud-based data breach. For example, attempting to investigate an incident in the cloud will likely be more difficult than reviewing log files on a local server. Another example, based on experience, is that third-party service providers will likely be less forthcoming with information needed to complete the investigation. There are many other examples, but the bottom line is any cloud-based breaches will be more costly and difficult to investigate than local server breaches.
A Study of Blackbaud, Inc.
A recent example of a data breach at a cloud service provider is the breach at Blackbaud, Inc. (“Blackbaud”). Blackbaud provides cloud-based services for not-for-profit companies such as managing donor databases, providing financial bookkeeping software, or providing marketing services. Traditionally, subscribers of Blackbaud’s services had enjoyed the financial savings and security associated cloud-based donor databases or financial applications. But recently Blackbaud’s clients have been less enthusiastic about its service given the legal costs they have incurred in association with a data breach at Blackbaud.
Blackbaud initially issued a statement on July 16, 2020 outlining their response to an attempted attack. The attack was on their database servers and the data loss affected clients around the world and is estimated to have affected over 6 million people. Blackbaud initially reported that they had thwarted an attempted ransomware attack with the help of cyber security experts, but not before a significant amount of data was exfiltrated by the hackers.
The official statement from Blackbaud was that they stopped the attack and data was exfiltrated, but no sensitive information such as Social Security numbers or financial account numbers were affected. Blackbaud maintained that all such sensitive information was maintained in encrypted database fields. Blackbaud concluded that because sensitive information was encrypted that a “breach,” as defined by state law did not occur. Because a breach did not occur, notification to affected individuals was not necessary. However, Blackbaud also disclosed that they had paid the hackers to destroy the data that was exfiltrated. The response left many questioning Blackbaud’s conclusions and the official statement – why would Blackbaud pay to destroy the data when they claimed no sensitive information was taken?
In response to the statement, several companies and individuals have filed lawsuits to find out more about the attack and the types of data accessed. Blackbaud’s clients are struggling to determine if sensitive data was affected and what their response should be. Many customers have engaged legal counsel to help determine whether they have liability or recourse, whether notifications still may be required, and whether Blackbaud’s conclusions about this incident not being a breach are valid.
Adding to the confusion, Blackbaud, a publicly traded corporation, disclosed in an SEC filing that hackers did in fact have access to some Social Security numbers and other encrypted data. The SEC report includes the following language:
After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords. In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who were involved in the Security Incident. Customers who we believe are using these fields for such information are being contacted the week of September 27, 2020 and are being provided with additional support.
Blackbaud also disclosed that they expect the investigation to continue into the foreseeable future, which may mean further disclosures about the extent of the breach and the type of data accessed. Until then, many Blackbaud clients are still waiting on further information to decide what to disclose to their donors and what their liability may be.
Companies can greatly benefit by moving their data to a cloud platform. Such a move can save companies time and money, and they can benefit from the expertise of cloud service providers in terms of technology and security. But, responding to a data breach from such a service provider can be expensive and leave clients unaware as to the breadth and depth of the data breach. A data breach at a cloud service provider can also have ramifications for large numbers of companies across a wide spectrum of jurisdictions with varying reporting requirements. Finally, to protect themselves, companies should investigate any cloud service provider they intend to use and thoroughly review any contractual requirements, waivers, or liability limitations with an attorney well versed in cyber security and technology practices.