Case Study for Legal Risk Management for “Cloud Computing”: Data Loss for T-Mobile Sidekick® Customers

October 29, 2009 by

Telecom providers are increasingly outsourcing IT functions for “cloud computing.” A widespread data loss in mid-October 2009 by an IT outsourcer to a mobile telephony provider underscores the practical limitations of using the Internet as a data storage platform.

In this episode, subscribers to T-Mobile Sidekick® mobile devices were informed that their personal data – contact information, calendars, notes, photographs, notes, to-do lists, high scores in video games and other data – had almost certainly been lost. T-Mobile (a service of Deutsche Telekom AG) had outsourced the management of the “cloud computing” function for the Sidekick® devices to Microsoft’s subsidiary, Danger, Inc. While T-Mobile has offered a $100 freebie in lieu of financial compensation and some data was recovered, the case invites legal analysis of the liability of the any service provider – whether for mobile telephony or enterprise backup and remote storage – for “software as a service” (“SaaS”) or “cloud computing.”

Technological Framework for “Cloud Computing. “ “Cloud computing” means simply that data are processed and stored at a remote location on a service provider’s network, not on the enterprise’s network or a consumer’s home computer. Such data could be any form of digital information, ranging from e-mail messages (such as those stored by Google and Yahoo!) to databases, customer records, personal health information, employee information, company financial information, customer contracts and logistics information.

“Clouds” come in two flavors: public and private.

  • In a public cloud, the general principles of the Internet apply, and data transmissions can flow between many different third-party computers before reaching the service provider’s servers. Amazon offers hardware in variable computing capacities in its “Elastic Compute Clouds” (or “EC2”) services. Similarly, Google offers an “Apps Engine.”
  • In a private cloud, one service provider (alone or with its subcontractors) controls the entire end-to-end transport, processing, storage and retrieval of data.

Cloud computing exposes users to some key vulnerabilities and added costs:

  • The user depends on a high-performance Internet connection. Service level performance cannot be guaranteed except in private clouds.
  • ‘Single points of failure” (“SPOC”) in data transmission, processing and storage, for which special security measures and redundancy may be required. Heightened security risks require extra resources.
  • Loss of control over the public portion of a “public cloud” can impair performance through delays and data loss resulting from uncontrolled environments.
  • Delays in data restoration may occur due to interruptions in data transmissions.
  • Business continuity, resumption and data protection require special solutions.
  • Passwords could be guessed at using social networking tools, but if the user accounts are maintained internally in a controlled network, the systems could use techniques to detect and eradicate misuses and abuses from users based on aberrational access profiles and unauthorized territorial access. In a public cloud, security tools such as data leak prevention (“DLP”) software, data fingerprinting, data audit trail software and other tools might not be effective.

Such vulnerabilities explain why “cloud computing” needs special controls if used as a platform for providing outsourced services.

In the October 2009 T-Mobile debacle, users relied on the telecom service provider to store and backup the data. Mobile telephony devices (other than laptops) were seen as tools for creating but not storing, significant volumes of data. Remote data storage was a unique selling proposition, or so one thought.

T-Mobile’s Technological Failure. In its website, T-Mobile exposed the technological sources of the failure of its “cloud computing” for mobile devices. It explained:

We have determined that the outage was caused by a system failure that created data loss in the core database and the back-up. We rebuilt the system component by component, recovering data along the way.  This careful process has taken a significant amount of time, but was necessary to preserve the integrity of the data. SOURCE: T-Mobile Forums, Oct. 15, 2009 update.

Mitigating Damages: Public Relations Strategy for Restoring Customer Confidence and Maintaining Brand Goodwill. After some delay, without admitting any liability or damages, T-Mobile adopted a “damage control” strategy adopted from the usual “disaster recovery” process models:

Compensation. It offered any affected customers a $100 gift card for their troubles in addition to a free month of service.

Communication Outbound. It created and updated a Web forum for Sidekick users to get information about the nature of the problems, whether the data loss was irretrievable and the time to resume operations.

Communication Inbound. It provided an e-mail contact address so that it could respond to inquiries and thus identify and counteract rumors that might have been spreading.

Compliance. T-Mobile notified the public media since the “disaster” exposed it to the possibility that more than 5,000 consumers in any particular state might have had their personally identifiable information (“PII”) exposed to unauthorized persons such as hackers. Such notifications (along with other notices to individual customers and designated government officials) are mandated by state law in over 40 states.

Corrections and Control. It focused on remediation first, deferring problem resolution with any claims against its service provider Microsoft’s subsidiary Danger, Inc..

Confidentiality. It kept its communications with its failing provider confidential and focused on remediation.

Escaping Liability for Damages. Generally, telecom service providers disclaim liability in excess of a small amount. Further, service contracts contain exclusions of liability for consequential damages as well as force majeure clauses. Generally, such disclaimers and exclusions are enforceable. However, various legal theories might prevent a service provider from escaping liability for failed service delivery.

Legal Risks for Providers of “Cloud Computing” Services. T-Mobile consumers might assert various legal theories against T-Mobile for damages if their data are not fully restored, or if T-Mobile fails to act promptly and reasonably to mitigate damages to consumers.

False Advertising; Unfair and Deceptive Practices. State and federal laws prohibit false or deceptive advertising and unfair and deceptive practices. Enforcement of these laws is generally restricted to governmental agencies such as the Federal Trade Commission, the Federal Department of Justice and the state Attorneys General. Deception is a term of art and depends on the facts. In this case, the question is how solidly did T-Mobile portray the benefits of “cloud computing,” and did it warn against loss of data. If T-Mobile can show that it warned users of potential data loss and recommended that they back up their own data, such a warning might relieve it from liability. If T-Mobile represented that it would use reasonable security, backup and business continuity services, subscribers with lost data might have a claim of negligence or gross negligence.

Consumer Fraud. Under common law and state consumer protection laws, generally, a fraud occurs when the seller knowingly misleads or makes a false statement of fact to induce the consumer to make a purchase.A massive fraud is subject to a class-action claim in Federal court under Federal Rules of Civil Procedure.

Magnuson-Moss Warranty Act. Normally, an outsourcing services contract is not one that is associated with the maintenance of a product such as a telephone or a computer. If the service provider were also selling any equipment to the customer, and the customer were a “consumer,” and the service provider’s agreed to maintain or repair the consumer product, then the Magnuson-Moss Warranty Act, 15 U.S.C. § 2301 et seq. would apply. This risk explains why sellers of consumer products (mobile telephones) offer only limited warranties. The Magnuson-Moss Warranty Act is probably not a source of potential liability for T-Mobile, but that depends on the customer contracts.

Privacy Violations. Cloud computing providers may become liable to consumers or enterprise customers for failure to comply with applicable privacy statutes. Such statutes protect personal health information (under HIPAA), personal financial information (under the Gramm-Leach-Bliley Act), personally identifiable information (state and federal laws), financial information of a plan fiduciary under ERISA or other or simply confidential information that could be a trade secret or potentially patentable idea of an enterprise or its customers, suppliers or licensors. Export control laws and regulations governing trade in arms and “defense articles” are thus not good candidates for “cloud computing” except for “private clouds.”

Enterprises hiring third-parties to remotely process and manage their operational data are liable to third parties if any protected data is mishandled, depending on the exact wording of the law. Allocation of liability for privacy and security violations is typically a negotiated element of any outsourcing agreement.

Protecting Consumers in Cloud Computing. The legal framework for “cloud computing” needs to be well defined before it can become a reliable business model replacing networks or local workstations. Regardless of disclaimers in consumer contracts, providers of “cloud computing” services will need to adopt reliable, resilient storage backups, disaster recovery and business continuity services. Moreover, when hiring a “cloud computing” service provider (as T-Mobile did when it hired Microsoft/Danger, Inc.), the seller must ensure high standards by its subcontractors. Telecom outsourcing to IT providers requires special technical and legal controls to protect the consumer and the telecom carrier.

Outsourcing Law & Business Journal™: April 2009

April 27, 2009 by

OUTSOURCING LAW & BUSINESS JOURNAL (™) : Strategies and rules for adding value and improving legal and regulation compliance through business process management techniques in strategic alliances, joint ventures, shared services and cost-effective, durable and flexible sourcing of services. www.outsourcing-law.com. Visit our blog at http://blog.outsourcing-law.com for commentary on current events.

Insights by Bierce & Kenerson, P.C., Editors.  www.biercekenerson.com

Vol. 9, No. 4 (April, 2009)

Special Notice

WEBINAR ON LAW AND POLICY IN GLOBAL SERVICES: Pending U.S. Legislative Challenges to Global Services and Captives.

A Webinar, New Date, Thursday, May 14, 2009, 11:00 – 11:45 A.M. Eastern Daylight Time U.S.

Speakers:

  • William B. Bierce, Esq., Bierce & Kenerson, P.C. – outsourcing lawyer
  • Caren Z. Turner, Esq., Turner Govt. and Public Affairs – registered lobbyist and political analyst
  • Congressional staff, invited.

This webinar will identify and analyze a number of early indicators of the Obama Administration’s and the Democratic-controlled Congress’s policies that will have a major impact on buyers and sellers of outsourced and captive services, both domestically and offshore. In this seminar, you will hear about:

  • Pending legislation that could facilitate unionization and reduce outsourcing opportunities.
  • Executive Orders and Proclamations that may violate NAFTA and WTO obligations, and the potential impact on “free trade” and “protectionism” abroad.
  • Environmental legislation that could impair local manufacturing in the U.S.
  • Trends in Presidential and congressional policies affecting sourcing practices and costs.
  • Prognostications on passage of legislation and adoption of Presidential actions.
  • Strategies for risk management and development of new opportunities.

This webinar is by invitation only. To register, please click here.

___________________________

1. Social Networking and Cybersquatting in Outsourcing: Legal Conflicts where BPO Meets SaaS.

2.  Humor.

3.  Conferences.
___________________________

1. Social Networking and Cybersquatting in Outsourcing: Legal Conflicts where BPO Meets SaaS. Social networking on the Internet depends on that part of information technology that is called “software as a service” (“SaaS”). SasS offers a form of outsourced infrastructure for relationship management. SaaS works for virtually any business processes delivered as a service.Social media offer efficient marketing tools for new ventures and transforming long-existing businesses. Social networking media enable professionals to identify, target and interact directly with qualified business prospects, using tags such as geography, interest category, company or any other affinity class. Social networking allows online interactions between individuals and sharing of ideas, photos, audio, video and aspirations. Marketers love social media as a vehicle for (i) efficiently opening new conversations, (ii) inviting engagement by asking for “status updates,” (iii) developing brand goodwill, (iv) creating personal trademarks for self-appointed gurus leading new discussion groups and (v) serving highly targeted and affordable advertising. Social networking marketing can even be outsourced. For the full article, click here.

2. Humor

Social networking, (n). (1) electronic platform for displays of appropriate body language, virtual smiles, rubbing shoulders and interactive listening; (2) asocial interaction; (3) bi-directional spam engine.

3. Conferences

April 27-29, 2009, IQPC’s 7th Annual e-Discovery Conference, San Francisco, California. Join this year’s conference to learn more about managing the process of electronic discovery files and to explore options that are available for this task. Proactive e-discovery solutions are more critical to legal departments yet the solutions for costs, implementation, and management are still widely unknown. This conference will provide strategies for e-discovery success including proactive strategies for record management; global privacy issues, data security laws, regulations; specific cost control options; judicial perspective; and cutting edge software solutions. For more info, click here.

April 29-30, 2009, WRG’s Corporate IP Counsel Summit:  Crafting an IP Strategy to Match Corporate Goals, New York, New York. This inaugural event comes at a pivotal time for Corporate IP Counsel across industries. Not only will the new administration be in office but also we will begin to see the repercussions from the upswing in Supreme Court and Federal Circuit cases in 2008 that will affect IP in 2009 and on. Difficult economic times call for thinking outside the box and sharing of best practices. This event is the premier forum to hear about solutions that your IP peers have implemented to maximize their existing IP assets, avoid costly litigation, create and maintain efficient infrastructure, fully integrate IP strategy into business plans, prepare for anticipated patent law changes, and more.  Save $500 off the current registration rate!   Mention promo code BDQ764 when registering.  To register, call World Research Group at 800-647-7600 or visit our website.

May 5-6, 2009, 7th Annual HRO WorldConference & Expo at NY HR Week, New York, New York. Offering timely solutions for organizations that are considering outsourcing, or that are already engaged in the process, to ensure successful change management and positive business outcomes. Hear from the HR outsourcing industry’s most respected practitioners, analysts and vendors. You’ll take away solutions for the strategic and operational challenges associated with HR outsourcing and retained functions. With a dozen breakout sessions, presentations from leading organizations including US Postal Service, Textron, Qualcomm and Hertz Europe, as well as an Industry Leaders’ Panel, you’ll find solutions to your most pressing outsourcing challenges. Register online or call 1-800-727-1227.

May 11-14, 2009, 9th Annual European Shared Services and Outsourcing Week, Budapest, Hungary. Featuring the annual global Shared Services Excellence Awards, where the shared services and sourcing world shapes its future. Novotel Budapest Congress, Hungary. This event iis the European arm of a global series of regional flagship events designed to bring together everybody who’s anybody in the combined worlds of captive shared services and outsourcing. SSOW is the largest gathering of Shared Services professionals in Europe and home to the annual Shared Services Excellence Awards. This multifunctional programme covers transformation strategies for all back office functions from Finance, HR, IT, procurement – through to multifunctional hubs. Whatever scale and whatever size of the organisation, if you’re pushing back office efficiency through a captive, outsourced, or mixed model route, this is the must attend event for your continent. Join over 60 contributors. To register for a limited 2-for-1 offer (for practitioners only, terms and conditions apply), quote code MP16. For more information: Email: enquire@SSOWeek.com, Tel: +44 (0) 207 368 9300 or visit our website.

May 18-20, 2009, 6th Annual HR Shared Services & Outsourcing Summit, Chicago, Illinois. SSON’s HR Shared Services Summit is the most important event of the year for HR leaders seeking to re-align their services with the strategic requirements of the business. New highlights for 2009 include 25+ HR thought leaders, brand new, truly strategic content on HR Outsourcing & HR Transformation, Interactive roundtable
discussions and the introduction of the VP Think Tank, which enables exclusive networking with senior HR leaders.  From “101” style topic introductions for those new to shared service structures, to detailed case studies on truly transformational programs, it’s the only event that guarantees a return on your time out of the office: whatever the maturity level of your HR service offerings. Contact Kim Vigilia at kim.vigilia@iqpc.com for any questions. Click here for more info.

June 7-9, 2009, The 3rd Annual Shared Services Exchange, Miami, Florida. This is an invitation-only gathering for VP and C-Level senior executives made up of highly crafted, executive level conference sessions, interactive “Brain Weave” discussions, engaging networking opportunities and strategic one-on-one advisory meetings between solution providers and delegates.  With a distinguished speaking faculty from Coca-Cola, CIGNA, American Electric Power, AOL and Safeway, amongst others, the seats at the 2009 Exchange are limited and filling up quickly.  We have limited complimentary invitations available for qualified delegates for a limited time. Please give us your reference ‘Outsourcing-Law’ when inquiring. There are solution provider opportunities also available for companies who want to be represented. You can request your invitation at exchange@iqpc.com or call us at 1866-296-4580. Visit our website.

June 23-25, 2009, SSON’s Launching and Managing Shared Services, Houston, Texas. This is the only conference in the US specifically focused on management and technology tools needed for a successful SS center. Developed in conjunction with an expert advisory board, the conference features extended interactive sessions on key activities needed to optimize a shared services strategy. Whether you’re building the business case, designing a governance model, implementing an ERP system, or agreeing on a series of performance standards with the business, Launching and Managing Shared Services delivers the exact information you need to proceed with confidence. Join other senior business leaders on giving your shared services center the best possible chance of success in a challenging economic environment. We’re proud to highlight this event’s outstanding speaker faculty of Shared Services experts from companies including MICROSOFT, COORS BREWING, CARGILL, APPLIED MATERIALS, and ASTRAZENECA. Contact Kim Vigilia at kim.vigilia@iqpc.com for any questions. For more info, click here.

July 27-29, 2009, IQPC’s 7 th Annual Procure-to-Pay Summit, Boston, Massachussetts. Leveraging current opportunities around corporate spend management whilst minimizing the impact on A/P, the 7th Procure-to-Pay Summit is expanding on its previous success and featuring new additions to the program, including: in-depth coverage of various AP optimization approaches: centralization, outsourcing and automation; new emphasis on strategic sourcing and global procurement; new techniques and tools for maximizing supplier relationships in procurement and efficiently expediting supplier payments in AP. For more information, please click here.

******************************************

FEEDBACK: This newsletter addresses legal issues in sourcing of IT, HR, finance and accounting, procurement, logistics, manufacturing, customer relationship management including outsourcing, shared services, BOT and strategic acquisitions for sourcing. Send us your suggestions for article topics, or report a broken link at: webmaster@outsourcing-law.com The information provided herein does not necessarily constitute the opinion of Bierce & Kenerson, P.C. or any author or its clients. This newsletter is not legal advice and does not create an attorney-client relationship. Reproductions must include our copyright notice. For reprint permission, please contact: publisher@outsourcing-law.com . Edited by Bierce & Kenerson, P.C. Copyright (c) 2009, Outsourcing Law Global LLC. All rights reserved.  Editor in Chief: William Bierce of Bierce & Kenerson, P.C. located at 420 Lexington Avenue, Suite 2920, New York, NY 10170, 212-840-0080.