|Did the provider violate the contract?*||If so, can the customer recover damages?||What it means|
|AWS||Maybe.2 AWS does not promise a lot in its contracts, so there’s not a lot for it to violate.||Probably not.3 In fact, AWS’s indemnification provision could be construed to require its customers to indemnify AWS against claims brought against AWS by victims of the breach.4||Most customers would be pretty out of luck trying to recover damages from AWS, and may even have to defend AWS against lawsuits brought by victims of the breach.|
|Microsoft Azure||Probably.5 Microsoft contractually promises that its personnel will not breach its customer’s data.||Probably, but only for direct damages up to the amount the customer paid for the services in the 12 months preceding the breach.6||Customers could probably recover the last 12 months of fees paid to Microsoft and would not have to defend Microsoft against lawsuits brought by victims of the breach.|
IMPORTANT DISCLAIMERWE ARE NOT COMMENTING ON OR VERIFYING ANY OF THE ALLEGED FACTS REPORTED BY THE MEDIA INCLUDING WHETHER THE CAPITAL ONE BREACH WAS ACTUALLY CAUSED BY THOMPSON, WHETHER THE HACK WAS ACTUALLY ENABLED OR FACILITATED BY HER EMPLOYMENT RELATIONSHIP WITH AWS, WHETHER AWS IS ACTUALLY LIABLE OR IN ANY WAY RESPONSIBLE FOR THE HACK, WHETHER CAPITAL ONE SIGNED AWS’S STANDARD AGREEMENTS OR SOME OTHER AGREEMENTS, OR ANY OTHER ALLEGED FACTS RELATING TO THE CAPITAL ONE DATA BREACH. OUR RESEARCH AND THESE CONCLUSIONS ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. THIS POST IS FOR INFORMATION PURPOSES ONLY AND SHALL IN NO WAY BE CONSTRUED AS LEGAL ADVICE. For additional information, email or call 520-850-9814.
1 See for example, CNN’s coverage. 2 Possible breach of contract claims would include breach of AWS’s contractual commitments (a) not to “access or use” customer’s data except as needed to provide the services (Section 3.2 of AWS Customer Agreement), and (b) to “implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access or disclosure” (Section 3.1 of AWS Customer Agreement). 3 If a customer did have a valid breach of contract claim, it would have to overcome AWS’s disclaimer of all possible liability whatsoever (first sentence of Section 11 of AWS Customer Agreement). 4 The standard AWS indemnification provision requires AWS customers to indemnify AWS against any claims arising from the customer’s “use of the [AWS services]” (Section 9.1 of AWS Customer Agreement). 5 Possible breach of contract claims could include breach of Microsoft’s commitments to (a) ensure “that its personnel engaged in the processing of [customer data] and [personal data] (i) will process such data only on instructions from customer, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends (Processor Confidentiality Commitment, Data Protection Terms, Online Services Terms (available by downloading the English version at this link)), and (b) “implement and maintain appropriate technical and organizational measures to protect Customer Data and Personal Data” (Security Practices and Policies, Data Protection Terms, Online Services Terms). 6 We did not find any provisions that would require a customer to indemnify Microsoft in such a circumstance. Furthermore Microsoft allows claims for direct damages up to the amounts paid by the customer for the Microsoft services in the 12 months before the cause of action occurred (Section 6.a of the Microsoft Online Subscription Agreement).