Desktop version

Home arrow Computer Science

  • Increase font
  • Decrease font

<<   CONTENTS   >>
Table of Contents:


The customer should always address insurance issues in cloud computing situations, both as to the customer’s own insurance policies and the vendor’s insurance. Most data privacy and security laws will hold the customer liable for a security breach whether it was the customer’s fault or the vendor’s fault. Thus, the customer should help self-insure against cloud computing risks, including data and security issues, by obtaining a cyber liability or similar policy.

Cyber liability insurance can protect the customer against a wide range of losses. Most cyber insurance policies will cover damages arising from unauthorized access to a computer system, theft or destruction of data, hacker attacks, denial of service attacks, and malicious code. Some policies also cover privacy risks like security breaches of personal information, may apply to violations of state and federal privacy regulations, and may provide reimbursement for expenses related to the resulting legal and public relations expenses.

Requiring the vendor to carry certain types of insurance enhances the likelihood that the vendor can meet its obligations and provides direct protection for the customer. In addition to a cyber liability policy, other forms of liability insurance that a customer should require a vendor to carry in a cloud computing transaction include technology errors and omissions liability insurance and commercial blanket bond, including electronic and computer crime or unauthorized computer access insurance. These types of insurance will cover damages that the customer or others may suffer as a result of the vendor’s professional negligence and by intentional acts by others (e.g., vendor’s employees, hackers). It is critical that the customer require the vendor to have these sorts of policies and not just a general liability policy. Many commercial general liability policies contain a professional services exclusion that precludes coverage for liability arising from IT (e.g., cloud) services, as well as other exclusions and limitations that make them largely inapplicable to IT risks.


It is appropriate for cloud computing transactions to include a vendor indemnification whereby the vendor agrees to defend, indemnify, and hold harmless the customer, as well as the customer’s affiliates and agents, from any claim arising out of the vendor’s breach of its obligations with respect to the confidentiality and security of the customer’s data. Any intentional breach should be fully indemnified, meaning that the customer will have no “out-of-pocket” costs or expenses related to recovery of the data and compliance with any applicable notice provisions or other obligations required by data privacy laws. In the event the data breach is not intentional, the vendor may require a cap on its potential liability exposure, which may be reasonable depending on the nature of the unintentional act and the type of customer data in question.

It is also appropriate for these transactions to include a broad intellectual property infringement indemnification that would protect the customer from damages, costs, and expenses arising out of any claim that the software infringes the intellectual property rights (think trademark, copyright, trade secret, patent, and any other intellectual property rights) of any third party. This means that the customer will never be responsible for any costs or expenses if some third party claims that the software the customer is using infringes its intellectual property. It is common for vendors to limit the intellectual property indemnification only to infringement of copyrights. This is not an appropriate or widely accepted limitation on the vendor’s indemnity obligations, since many infringement actions arise out of patent or trade secret rights.

Vendors will also try to limit their exposure by limiting the indemnity to infringements of patents “issued as of the effective date” of the agreement. This limitation should be avoided since it will result in a customer’s exposure to damages, costs, and expenses as a result of a claim that the software infringes a patent issued after the effective date. The vendor should be responsible for continued diligence with respect to the noninfringement of its software and any such limitation on that responsibility should be avoided. Vendors frequently also limit these indemnification obligations to “United States” intellectual property rights. While this is generally acceptable, the customer should consider whether its use of the software will occur overseas.

<<   CONTENTS   >>

Related topics