Contents


    Executive Summary

    Cloud computing, commonly referred to as “the Cloud,” is the storage and delivery of data and other resources over the internet. Instead of storing files on a local computer, the Cloud allows for access to information anytime, anywhere. In recent years, cloud computing has gained traction, but questions about the security of this type of information storage remain. Cloud computing has already involved insurance coverage issues and will continue to do so as incidents of data breaches, impermissible data mining, sale of collected personal data and more come to light. Comprehensive legislation that addresses all the possible issues has not yet been developed, leaving insurers without the complete information needed to draft effective policies to protect cloud computing providers.

    Background

    While the origin of cloud computing dates to the 1970s, the Cloud in its more familiar form came into existence in the early 2000s; by 2009 most companies in the internet market provided some type of cloud service. There are three service models which build on each other to form the Cloud. “Infrastructure as a Service” (IaaS) is the base tier of cloud computing and provides data and resources exclusively through the internet. Examples of IaaS include Windows Azure, Google Compute Engine, and Amazon EC2, which allows users to “rent” virtual computers where they can run their own applications. “Platform as a Service” (PaaS) is the next tier. It provides some of the same advantages of the IaaS but goes further and allows users to develop software and create applications. Examples of PaaS include Force.com, Heroku, and Google App Engine, which allows users to develop and host applications in data centers managed by Google. The top tier in the Cloud is “Software as a Service” (SaaS). SaaS gives users access to databases and application software over the internet. Examples of SaaS include Cisco WebEx, Salesforce, and Google Apps, which allows users to access applications that are hosted on a remote server, through the internet.

    There are several types of clouds. A public Cloud is the most basic form of cloud computing and, essentially, is the internet. This type of Cloud is the most commonly used by the general public and requires no additional software or other type of infrastructure. A private Cloud is a data center for an individual company that can be managed by a third party or internally. Private Clouds allow large businesses handling sensitive information to keep information more secure. Hybrid Clouds combine the safety of the private Cloud with the accessibility of the public Cloud for use with less sensitive information, or in times of high demand. A community Cloud targets a set of consumers that desire cloud services that fall between those available from private and public clouds. A community cloud features an infrastructure and computational resources exclusive to two or more organizations that have certain things in common, such as security and privacy considerations.

    Injuries and Damages

    As the cloud computing market grows in size and revenue, concerns about the security of the information stored in the Cloud also grow. Companies and individuals are grappling with issues of data mining, the permanence of stored information, data breaches and more. Data Breaches, wherein hackers gain access to sensitive data, are more likely to occur in businesses that utilize the cloud. A range of damages can occur from accounts being hijacked, such as falsified and manipulated information. Malware, ransomware, and denial of service attacks are dangerous, and can be costly to the attacked business. The use of cloud computing opens up a world of online risk that can damage the privacy, operation, finances, and reputation of businesses.

    Legislation and Regulation

    servers and other physical infrastructure running the software and storing the data would be unimportant. Cloud services, however, are provided from – or delivered to – specific geographies for several reasons, including privacy regulations and local legislation. Cloud providers are facing the largely unanticipated geopolitical realities and limitations inherent in seeking to deliver services across multiple borders. For example, the fact that in 2018, China boasted the fastest-growing computing cloud in the world but that the nature of its cloud services is different than that of the U.S. may present several issues. There has also been concern that if U.S. companies choose to use computing services offered from another country, U.S. law enforcement could request access to that data regardless of where it was stored. Some companies have changed the location of their cloud computing operations to address these and other concerns. In one case, a large U.S. company chose to offer Cloud computing services from European-based data centers where the data is stored under the control of a “data trustee” and the company cannot access the data unless it has the customer’s permission. Another U.S. company gave customers more control over their data stored in a European datacenter, and ensured that only European-based company employees are allowed to approve policy changes at the center.

    Government agencies are looking critically at the location of the company offering Cloud services, warning that there are national security risks in foreign ownership. For example, the Trump Administration recently determined that the Chinese ownership of the social media app TikTok posed a national security risk. In lieu of banning the app in the United States, the Us government mandated that the app must be sold to a US company. Oracle has acquired the US operations of the company. The transfer of the US operations to a US located company has reportedly mitigated the national security risk associated with the app. Agency managers also note that depending on the nature of the data being collected and where it is stored, data protection may be governed by different legal jurisdictions. Some Cloud services providers have had to change how their services are delivered to comply with local laws. For example, because China prohibits non-Chinese companies from owning cloud computing technology, Chinese companies govern the U.S.-based entities located there. Some industry experts have used the term “digital fragmentation” to describe the effects of different countries increasingly enacting privacy and cyber-security regulations, insisting that the legislation increases business expenses and creates barriers to globalization. Still, Cloud computing continues to gain acceptance.

    Liability and Insurance

    As with any technology-based service, the risks to individuals and companies are continuously evolving. Liability concerns in cloud computing may include the following:

    • Use and sale of personal data
    • Business Interruption
    • Data Mining (analyzing user information for gain)
    • Data retention time period
    • Disruptions of cloud computing services
    • Data breaches
    • Third-party involvement
    • Copyright infringement
    • A range of cyber crimes
    • Transfer of data between clouds (transferring information between providers)

    Cloud computing has the potential to generate consequential claims which will involve insurers, given the enormous amount of sensitive information cloud computing entities handle daily. Existing legislation in this developing field can be vague or incomplete, potentially leaving a company unprepared and liable for large claims.

    Because data stored in the Cloud does not meet the definition of “tangible property” under the standard commercial general liability policy, a company may be entirely unprotected from the consequences of data breaches or data erasure. As hacking has become more efficient and dangerous, some insurance companies have sought to offer protection. While defining the Cloud has proven to be difficult because of the Cloud’s constant evolution, insurers have generally agreed to the basic premise that the Cloud is a third-party network used to support a company. These “third party networks” are any sort of Cloud service that is providing the company with some service, be it an IaaS, PaaS, or SaaS. It is unclear, however, who ultimately bears responsibility for any particular type of breach. Some Cloud users assume that risk is always transferred to the Cloud company when the data is handed over, but this is not always the case. For example, Cloud providers for the health care industry are responsible for protecting patient confidentiality at the same level as health care providers, but do not have full liability for the transfer of information; rather, the liability is expanded from the health care provider to the Cloud service, placing the risk on both parties.

    Some insurers offer specific policies or contract clauses related to Cloud computing, including provisions intended to protect the company from the consequences of a Cloud failure that exposes company information. Specifically, some companies have begun offering insurance to protect against losses that originate from “Contingent Business Interruption,” from the failure of a Cloud service provider. This type of insurance may cover costs associated with finding and transitioning to a new Cloud company and might cover loss of income.

    Litigation

    Cloud computing litigation brings several issues to light.

    Data Breaches
    One of the most pressing issues in Cloud computing is liability for data breaches. In July 2015, infidelity website Ashley Madison suffered a large-scale data breach which exposed the personal, financial, and identifying information of the site’s roughly 27 million users. Several U.S. lawsuits were filed; in 2017 the company settled for $11.2 million. [Ashley Madison Customer Data Security Breach Litigation, MDL No. 2669, 4:15-MD-02669 (E.D. Missouri)].

    In late 2014, Sony Pictures fell victim to a Cloud-based hack. Certain personal, financial, and medical information belonging to former and current Sony employees was leaked and posted online. In 2015, a federal lawsuit seeking class action status was filed on behalf of tens of thousands of Sony’s current and former employees. Sony reached a settlement agreement in 2015. [Corona v. Sony Pictures Entm't, Inc., 14-CV-09600 RGK (C.D. Ca.)].

    Data Mining
    Data mining is the process by which companies collect incoming data and analyze the information to find trends and patterns. In 2013, a data mining lawsuit was filed against Google by users of Google’s e- mail service, Gmail, in which Google was accused of violating users’ privacy by scanning their e-mails and mining the contents to create targeted advertising and profiles for its users, both of which are illegal acts under federal wiretapping laws. Certain litigants sought to create a class action; the court, however, refused, citing a lack of unity between the cases. Had the lawsuits been allowed to proceed as a class suit, experts proposed that it had the potential to become the largest group lawsuit ever, with damages possibly in the trillions of dollars. [In re Google Inc. Gmail Litig., No. 13-MD-02430 (N.D. Ca.)].
    In 2018, The District of Colombia filed a lawsuit against Facebook following the social networking site’s involvement with Cambridge Analytica, in which it allowed the UK based data firm to improperly access data from as many as 87 million users. Other cities followed suit. The social media giant has faced many similar suits, which lead to large payouts, and damaging reputation hits. The case has still not yet been decided.

    Use and Sale of Personal Data
    In September of 2013, a lawsuit was filed against Google for the transfer of personal data to a third-party company. The case, led by plaintiff Alice Svenson, sought and was granted class action status. Svenson accused Google of sending her personal Google Wallet data, which can include debit and credit card information, addresses and phone numbers, to the app developer company YCDroid. In April 2015, a federal judge rejected Google’s request to dismiss the suit, stating Google had to face the claims that it breached users’ contracts, and violated both a California consumer protection law and the federal Stored Communications Act. [Svenson v. Google Inc., No. 13-cv-04080 (N.D. Ca.)].

    Cloud Competitor Cases
    Patent litigation over cloud technology is increasing. Non-practicing entities have claimed cloud-related patents, suing inventors who come close to their patented product, making it harder for business innovation to occur. The Supreme Court has limited what inventors can patent by expanding the definition of “abstract ideas” that cannot be patented. Other, more legitimate cloud competitor cases have been filed by newcomers trying to tackle industry giants, or established organizations protecting their success from new players. One such case involved Zscaler, a cloud security firm, who was sued by the longstanding firm Symantec on the basis of patent infringement. Zscaler agreed to a $15 million settlement.

    Future Outlook

    Cloud computing is the fastest growing market in the technology industry. The expectation is that the frequency and severity of security breaches will also increase, meaning that companies must rapidly develop techniques to fight these cyber threats. One possible remedy suggested by some experts is the concept of “bring your own key” (“BYOK”). BYOK offers the user the ability to hold the encryption keys for their Cloud data, allowing the user to be in control of all their data at all times. BYOK also allows Cloud companies to shift some liability to the consumers. There are risks with this method, however, such as if the encryption key is lost by the customer, all the data encrypted to that key is lost forever with no chance for recovery. Still, according to various industry experts, the Cloud is an easy and relatively safe way to store information; despite this professed safety, however, specialists point to the inherent risks associated with any kind of internet technology. As Cloud usage becomes more ubiquitous, insurance companies will have to develop robust policies to manage the inherent risks.

    In the News

    2016

    • Downtime, security risks prevalent in private cloud - Regina Pazvakavambwa, ITWeb (11/16/2016)
      The growing level of complexity, increasing interdependence among infrastructure components, and escalating pace of change, has proven that keeping cloud infrastructure free of risky misconfiguration has become a challenge that most organisations fail to meet. This is according to Continuity Software's recent research: 2016 Private Cloud Resiliency Benchmarks, based on data gathered from over 100 enterprise environments over the past year, the study found that downtime and security risks were present in each cloud environment tested. It says companies running mission-critical systems in the cloud are less successful in meeting their service availability goals compared to organisations that don't store any of their mission-critical data in the cloud.
    • New guidance lays out HIPAA obligations for cloud computing - Joseph Goedert , HealthData Management (10/13/2016)
      The Department of Health and Human Services has published new guidance on complying with HIPAA privacy, security and breach notification rules when using cloud computing technology. The guidance gives insights for providers, business associates and cloud computing vendors. Some of the guidance is basic and well-known to many HIPAA-covered entities. The first question, for instance, considers if a HIPAA-covered entity or business associate may use a cloud service to store or process electronic protected health information (ePHI). The answer is yes, provided the vendor enters into a business associate agreement that specifies how HIPAA compliance will be maintained. But overall, the guidance will help providers develop a better idea of the current and ongoing security status of cloud vendors and other business associates (BAs).

    2015

    • Cloud Popularity Drives Increased Role for Risk Management - David Weldon, Information Management (12/04/2015)
      Cloud adoption continues to rise at a significant pace, with most mid-size and large organizations storing at least some of their data and applications in the cloud. The increased popularity of the cloud adds to the vulnerability of corporate data, of course, and makes the job of risk analysis all the more important, warns Samson David, senior vice president and global head of cloud infrastructure services and security at Infosys.
    • U.S. CIO tells IT leaders to trust the cloud - Matt Kapko, CIO (10/22/2015)
      This week, the U.S. federal government's most powerful IT steward bestowed unbridled praise upon the largest cloud providers, during a Google for Work webcast.
    • More than half of large insurers to increase use of cloud and co-sourcing services over next five years finds SS&C survey - PR Newswire (09/30/2015)
      SS&C Technologies Holdings, Inc. ("SS&C") (Nasdaq: SSNC), a leading global provider of financial services software and software-enabled services, today reported the results of its Global Insurance Asset Management Technology Outlook survey - looking at the changes large insurers plan to make over the next five years.
    • Mobile Wallets Are Not Securing Data as It Goes to the Cloud - GEORGE AVETISOV, (08/06/2015)
      There is money to be made for merchants who support mobile payments. However, cyber criminals have noticed and they want their cut, too.

    2014

    • The Era of Cloud Computing - Quentin Hardy, New York Times (06/11/2014)
      Industry analysts at IDC figure that if largely cloud-based things like mobile apps, big data, and social media are counted, over the next six years almost 90 percent of new spending on Internet and communications technologies, a $5 trillion global business, will be on cloud-based technology.
    • Cloud Adoption Lower than Expected - Rachael King, Wall Street Journal (05/01/2014)
      Large companies have moved to cloud office productivity services offered by vendors like Google Inc. and and Microsoft Corp. more slowly than many initially expected.

    Additional Items

    “By far and away the most well rounded and useful Cat-focused industry conference out there. Perfect for all levels within the industry. From the conference content, the presenters and the attendees, this conference is a can’t miss for those interested in expanding their knowledge and learning more about cat related insurance and reinsurance modeling topics â€ť Nick DiMuzio, Everest

    "Fantastic, enriching conference - brilliantly planned and run, illuminating talks and excellent opportunities for networking across multiple areas of catastrophic risk.” Gary Ackerman, University at Albany

    “From a treaty underwriter's point of view, RAA presented relevant topics related to today's macro events. Scientific presentations provided insight that I can incorporate in underwriting and share with my clients.” Eric B. Silberman, Munich Re

    "Great conference with some of the biggest names in the business presenting their work. What more could you ask for?” Ron Nash, Nash Consulting

    “A perfect introduction to the world of reinsurance. Relevant topics, great speakers and the opportunity to network with industry peers makes this a must go event.”
    Tom Barrett, Everest Re

    Demystifying Reinsurance was an excellent tool to clearly understand and break down the basics. Very good class and recommend it for beginners and even as a refresher course for the intermediate student.”
    Chenessia West, TransRe

    “Re Basics is the ideal opportunity whether an industry professional or student of insurance to understand the in and outs of reinsurance while being able to network with persons spread across the whole industry.”
    Darius Zuill, Bermuda Monetary Authority

    “This has been the best reinsurance seminar that I have been to! Whether a reinsurance seasoned vet or new to the field, this is an engaging seminar that addressed specific issues of the reinsurance market.”
    Michelle Thimm, Church Mutual Insurance 

    “Re Underwriting provided a comprehensive and interesting overview of underwriting in the current market with a major (and interesting) focus on trends. Very useful for underwriting and non-underwriting alike.”
    DeVika Bourne, PartnerRe

    “Very informative experience, and a great way to keep up to date on current underwriting events and trends.”
    Steven Whalen, Aspen Re

    “Time well spent in learning the updated underwriting business and networking!”
    Christine Chen,  Everest Re 

    “The panels and presentations were thought provoking and fascinating as numerous topics were covered affecting the industry. I’m leaving the conference with a greater insight of the future market.”
    Brittany de Frias, AXIS Capital 

     

    “RAA Re Finance was the first RAA seminar I attended, and I was thoroughly impressed with the speakers and content. I learned a great deal from the presentations and intend to bring some new ideas back to my company and share with the team!”
    Taylor Robinson, ICW Group

    “Fantastic slate of instructors who thoughtfully walked us through financial reporting and other aspects of reinsurance finance. They used terminology that non finance people (lawyers) could understand. Really great program.”
    Steven Bazil, The Bazil Group

    “If you are in Reinsurance Accounting/Finance, you need to take this course to help you with your job.”
    Frank Borawski, Markel  

    “The speakers were excellent! There is something to be said about a person, and in this case a group of people, who can take time away from their busy schedules and explain to everyone something they feel passionate about in a manner that's understandable. My only complaint is that I wish we had more time with them.”
    Jessica Mieles, Sompo International

    “The RAA ReContracts is the most comprehensive reinsurance contract wording training available in the U.S. market.”
    David Kragseth, Guy Carpenter   

    “The course was very helpful in addressing different viewpoints and important things to consider in contract design and review.”
    Andy Martin, AmericanAg 

    “The RAA contract course was very informative and interesting. It covered a wide range of Reinsurance Contracts Types. In my Reinsurance Career, I have had the opportunity to work on a limited type of contracts, so I learned a lot.”
    Vivian Castro, Arch Insurance Company 

    “The RAA Contracts course provides the opportunity to engage with relevant topics, taught by industry experts, in both seminar and small group environments. The course material and industry experts provide an understanding on a wide range of subjects.” 
    Kevin English, LMRe

    “Participation in Re Claims should be mandatory for all P&C reinsurance underwriters. It’s truly an eye-opener, providing an in-depth look from a claims manager’s perspective on what happens to the business that we underwrite. There are lots of do’s and don’ts to pay attention to. Re Claims answers all the hard questions."  Michael Delacruz, China Re P&C

    “I absolutely love this program. I learned so many new things. Reinsurance from the industry’s top executives, interactive activities, interesting panels, and innovating presentations makes for an intriguing few days. Well worth the time and money.” Chenessia West, TransRe

    “As a reinsurance attorney I find Re Claims highly valuable to stay abreast of emerging issues. Also, being walked through practical case studies is extremely helpful in creating a thorough understanding of how contracts work.” Steven Bazil, The Bazil Group

    Become a Re Scholar!

    The Re Ed Institute's Re Scholar Program seeks to recognize those who achieve a high standard of reinsurance education by completing the Re Scholar curriculum. Learn More.


    Become a Re Ed Sponsor

    The RAA’s Reinsurance Education Institute programs attract professionals from the world’s leading insurance/reinsurance companies, brokers, law firms and consulting firms. Interested in sponsoring? Contact Carolyn Fahey.