In this article, Dr. Aline Tanielian explores the legal challenges and potential hurdles faced by companies seeking compensation for losses caused by a Cloud outage. She delves into the implications of service provider terms and the critical need for legal and technical safeguards in the ever-reliant digital landscape.
The Cloud is down: any compensation?
1. If the recent Cloud outage caused by CrowdStrike’s software glitch[1] has taught us anything, it would be how much we are now globally and seriously affected by an outage of the Cloud, even a temporary one: be it cancelled flights, closed banks, or out-of-service infrastructures, hospitals and government facilities, to name but a few essential services, losses sustained from the Cloud outage were numerous and massive.
2. Delta Airlines has already initiated legal proceedings claiming compensation against CrowdStrike and Microsoft for the losses arising from the flights it had to cancel[2], but what will be the hurdles that Delta and other Cloud users will most likely face by seeking compensation for losses arising from such outage?
3. The answer to this question depends of course on the type of services used on the Cloud, but also on whether the user is a consumer or not and has or not legally protected himself/herself and eventually his/her business from a Cloud outage when clicking on the infamous “I have read and accepted the Terms of Service” upon subscribing to any service on the Cloud.
4. Indeed, by clicking on that box to subscribe for a Cloud service such as Netflix, Facebook, Dropbox, LinkedIn, GoogleDrive, Microsoft 365, Amazon Web Services…, users express their approval of the Cloud Service provider’s offer to enter into an agreement and consequently become contractually bound with the Cloud service provider on the basis of its terms of service, privacy policy and other provisions mentioned on the Cloud provider’s website.
5. Since the service provider drafts such terms and conditions of use, and the users usually agree to be bound by them without trying to negotiate them, or even without reading them, the Cloud provider will be protected by the various limits of liability it will surely include within its terms of service (I), but which might be overridden in some cases (II).
Limits to the Cloud providers’ liability
6. First of all, and although most of the servers for the provision of Cloud services are located in the United States and China, it is very important to identify the entity designated as the service provider within the terms of service to determine who undertook to provide the Cloud service in the first place. Indeed, often a service provider will choose one of its subsidiaries established in Europe to be the official service provider under its terms of service. This has material repercussions over who to hold liable and the assets which can be seized to enforce an eventual compensation granted to the user against that entity. The identification of the liable person becomes even more complicated in case of layered Cloud services, i.e. when a user has subscribed to a software service (i.e. Software as a Service “SaaS”) or platform service (i.e. Platform as a Service “PaaS”) on the Cloud and the provider of such software/platform has in turn subscribed to use the infrastructure (i.e. Infrastructure as a Service “IaaS”) of another Cloud services’ provider. This is the case for example for Apple’s iCloud services which use the infrastructure of Amazon Web Services, among other IaaS providers.
7. Another important provision of the terms of service to review in order to evaluate the chances of success of a claim based on the service provider’s liability in case of the Cloud’s outage is of course the governing law and disputes resolution clause in the service provider’s terms of service: there are various choices adopted by the Cloud providers in this regard with a frequent designation of the English and US laws and courts. This could in turn be a hurdle to a liability claim in light of the costs associated with a lawsuit in these jurisdictions, particularly if the user is not resident in the US or the United Kingdom.
8. However, the hardest challenges that users will face when claiming compensation from the Cloud outage are the various liability exclusions and caps that the Cloud providers include in their terms of service: whether they exclude the continuous provision of Cloud services from their scope of service altogether, or exclude any liability from an outage, or limit such liability to direct losses sustained from an outage caused by the Cloud service providers’ willful misconduct, or provide low caps for any compensation which may be due by them (often in the form of credits covering a few months of future Cloud services mentioned in the Service Level Agreement (SLA) agreed upon by the users), the service providers tailor their terms of service with the maximum limits of liability they might get away with.
9. With these material limits in place, is there any chance of being compensated for losses due to the Cloud outage?
Overriding the liability limits
10. Individual users have better chances to override the above-mentioned liability limits since they are often protected by mandatory provisions of consumer laws, be it through the consumer law provisions of the governing law designated in the Cloud service providers’ terms of service, or the consumer law of the user’s place of residence: indeed, some of these mandatory provisions consider liability exclusions abusive and this is certainly very useful in order to declare such provisions as null and void before the courts and therefore overcome the limits of liability inserted in the Cloud providers’ terms of service. Furthermore, other mandatory law provisions often prohibit limitations of liability in case of loss of human life or physical injuries caused to an individual user.
11. In any case, businesses do not benefit from the protection of such mandatory laws specific to individuals and consumers although they are the ones that would suffer the most from a Cloud outage, as we have recently witnessed by the “blue screen of death” that paralyzed businesses due to the CrowdStrike’s software glitch.
12. Preventive technical measures are of course paramount to protect these businesses from a Cloud outage through frequent back-ups ensuring the availability of the data, or by keeping the most sensitive or crucial information or operations outside the Cloud on in-house servers, or through cyber insurance by insuring the risks related to the loss of data; all these measures would help limit the losses in case of a Cloud outage by ensuring business continuity.
13. However, there are also legal protections that specialized lawyers can recommend, particularly for multinationals and big enterprises in the course of their negotiation of the terms of service of the Cloud service provider. Indeed, and although the Cloud service providers are notoriously reluctant to change their standard terms of service or agreements, there are some liability exclusions and caps that they often accept to negotiate and amend for their big clients..
[1] https://edition.cnn.com/2024/07/24/tech/crowdstrike-outage-cost-cause/in...
[2] https://www.techtarget.com/searchcio/news/366603172/What-the-Delta-Crowd...