Sidekick Goof Shows Cloud Computing Risks

October 26, 2009 by ADMIN

Share |

By John Watkins, Attorney with Chorey, Taylor & Feil

In a prior post, I wrote regarding both the promise of cloud computing, or software as a service, and the very real potential legal issues and conundrums faced by businesses considering moving some or all of their IT services and data to the “cloud.”

Perhaps the most fundamental issue is responsibility, or, more importantly, lack thereof, for lost data.

Recently, users of the Sidekick phone manufactured by Microsoft’s subsidiary Danger experienced a loss of data first hand.

According to published reports, contacts and photos stored on the phones were lost due to a server failure.

One report indicated that the data was most likely permanently lost.

T-Mobile, the distributor of the phone, stated on its website that “recent efforts indicate the prospects of recovering some lost content may now be possible.”

The final outcome remains to be seen.

It is beyond question that many Sidekick users have been, at the least, severely inconvenienced by this event.

The event puts in a very real context the possible loss of data by businesses considering using cloud based services.

Consider the possible consequences of a catastrophic loss of data a doctor’s office, an insurance agency, a law firm, or basically any other business.

As things presently exist, it appears that users of cloud based services may have little in the way of legal remedies.

A very quick review of the terms and conditions for two of the best known cloud providers illustrate the issue.

The Google Apps Premier Edition Agreement, paragraphs 14.1 and 14.2, disclaims liability for incidental and consequential damages and limits total liability to the amount paid by the customer to Google for services in the preceding twelve (12) months.

The Agreement mandates California law and sets the exclusive venue for any dispute to be the courts in Santa Clara, CA. (Paragraph 15.10).

The Master Subscription Agreement for Salesforce.com, which is said to govern the free trial and any subsequent subscription, similarly limits liability, for any single incident, to the lesser of $500,000 or the amounts paid by the customer in the preceding twelve (12) months.(Paragraph 11.1).

The Agreement also excludes incidental and consequential damages (Paragraph 11.2). The exclusive venue for litigation (for North American customers) is San Francisco, CA.

I have not researched the enforceability of these limitations under California law, but it is a pretty safe bet that the attorneys who drafted the terms and conditions have done so.

Assuming the provisions are enforceable, it means, in common parlance, that a customer experiencing a service interruption or loss of data is out of luck.

One prominent commentator, John C. Dvorak, has written that the Sidekick incident may “blow up the cloud,” and that the end user license agreements limiting responsibility are the reason.

For a business considering cloud based computing, the Sidekick incident should provide fair warning. Technology is not perfect.

Data loss does happen, and there may be no effective remedy.

To be fair, this could also happen using a conventional network, and there may be no remedy in that instance as well.

However, a business that backs up its data with a simple tape drive system has a pretty reasonable chance of recovering it in the event of a server failure.

Any business considering a cloud based approach should, at the very least, have the provider’s terms and conditions reviewed so that it can assess the risk it is assuming.

The lawyers who drafted these terms and conditions cannot be faulted: They are doing what lawyers are supposed to do.

Sellers often limit liability, and with good reason. However, if machinery, as an example, breaks down, it can be repaired or replaced.

The irretrievable loss of data is, at least from a real world perspective, different (the “legalities” may well be the same).

Further, the failure of cloud providers to take legal responsibility may limit the widespread adoption of cloud based technology.

Please do not understand this as a blanket rejection of cloud based computing.

I love Google’s applications (after all, this is being written on Blogger) and have been very impressed by a demonstration of Salesforce.

I also am a loyal (perhaps to a fault), T-Mobile customer (BlackBerry, not Sidekick!).

Whether I would store critical data or confidential client information in the cloud, however, is another story, at least at this point in time.

I’m just an old lawyer from Atlanta, but it seems to me that if one of these companies were willing to accept some liability for data loss (such as, for example, a guarantee to restore data in a certain period of time or face some real liability),

it would eliminate one of the key objections to cloud based technology.

If the risk of data loss is truly minuscule, notwithstanding the Sidekick incident, this should be a risk that could be spread over a large user base for an incremental additional cost.

It is even possible that an enterprising insurer is developing a product that could serve as a backstop. My guess is there is some money to be made here at a number of levels.

Maybe that vendor is out there somewhere in the cloud.

Updates on the Sidekick Incident

Microsoft is now reporting on the T-Mobile website that it believes it has recovered most, if not all, of the data.

Although this is good news, it appears that the incident has created considerable negative publicity for cloud computing generally.

According to published reports, Microsoft is trying to limit the fallout from the incident, and has stated that the problem arose from technology used by its Danger Inc. subsidiary, which it describes as separate from Microsoft’s other and core cloud based technologies.

It is heartening to know that considerable resources have been devoted to retrieving Sidekick users’ data.

At the same time, as reported in the original post, it appears that cloud providers still often contractually disclaim liability for loss of data.

It has been reported that at least two lawsuits have already been filed over the incident.

It will be interesting to follow whether the lawsuits will be pursued if all or most of the data is in fact retrieved.

I have not been able to determine whether the Sidekick terms and conditions disclaim liability. If they do, it will be interesting to see whether the limitations are enforced.

Also, since the customer’s relationship is presumably with T-Mobile and not Danger Inc., it will be interesting to see if any limitations will apply to Danger Inc.

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

John Watkins is a full time business litigation and business attorney and a part-time mediator for a firm in Atlanta, Chorey, Taylor & Feil, with a currently focus on trade secret, insurance coverage, shareholder and corporate and commercial contract disputes. At Chorey, Taylor & Feil, a Professional Corporation, we mean business. Serving Georgia, national, and international companies, we provide corporate and business litigation services to a highly diversified client base, ranging from new ventures to middle market companies to the Fortune 500.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.