Is Amazon’s “Cloudgate” a network security matter?
Amazon has a significant cloud computing business, which it calls Amazon Web Services (AWS). AWS rents data storage and web services to its customers. These customers use the outsourced services to avoid the expense and distraction of providing those services for themselves. As a risk management matter, cloud computing customers should make sure that their data is stored in different locations and that they have adequate backup and disaster recovery options in the event of outages or crashes. As such “redundancy” services can be expensive, some of Amazon’s smaller corporate customers did not purchase them. When Amazon’s data center in Northern Virginia experienced an extended outage, these customers did not have effective contingency plans, and their websites performed slowly or crashed. The media has used this incident to focus on the risks that companies face when they outsource core services and rely on third parties to prevent — and then fix — the problems that can arise.
The confluence of terms such as “cloud computing,” “web services,” “data centers,” and “network” has caused many to assume that liabilities incurred by Amazon in connection with its outage would be addressed by a “Network Security” policy. Based on the information currently available, it seems unlikely that such a policy would provide coverage in this situation. It is true that network security policies can provide coverage when customers are denied access to their data. To be covered under a network security policy, however, the denial of service must be caused by viruses, hackers or other active malfeasance that has compromised the insured company’s network. Denial-of-Service coverage is triggered by the insured company’s failure to stop such invasive actions from preventing legitimate access to the network or the data it contains. This coverage is not intended to indemnify against losses caused by design, mechanical, electrical, operational or similar problems. Amazon has described the problem as a “network event,” but at this point there has been no indication that the problem was caused by external sources. Somewhat ironically, perhaps, it appears that AWS’s own web services software in effect launched a Denial-of-Service attack on AWS’s infrastructure.
It is likely that Amazon will look primarily to its Errors and Omissions (E&O) policy to provide indemnification for its liability exposures. After all, providing its customers access to their data is at the core of the professional services that AWS performs. Even here, though, coverage cannot be taken for granted. It will depend on the facts that are ultimately revealed about the source of the collapse and the nature of the damages caused. There are common E&O policy provisions which, if not properly addressed in the policy form or amended through negotiation, could greatly limit or even bar coverage for damages caused by the outage. It will be instructive to see how the insurance picture develops as more information becomes available.
Connect with John Doernberg on LinkedIn.