The myriad of computing service failures during the last week or so have had me thinking back to my conversation in March with Drew Bartkiewicz. We've had Amazon Web Services fail and bring down much of the Web with it. Add to that the PlayStation Network outage, which is still unresolved and is starting to get ugly in a legal and regulatory sense for Sony. And before that there was the breach at the e-mail marketing company Epsilon.
It's as though this week was tailor-made for Bartkiewicz, who argues that companies in the cloud business--and their customers, too--are in denial about risk. And by risk I mean not the technological possibility that a service may fail to work as advertised, but in the financial liability sense.
In Amazon's case, there's not been any real discussion of financial liability. Even though several companies effectively had to pause operations during the period of its outage last week, the only compensation they seem to be getting, at least for the moment, is a credit on their bill for the time that affected systems were offline and an apology. Apologies and billing credits won't work for large companies. In a case like that, someone, somewhere has to be on the hook financially in the case of failure.
Handing your data over to someone is in a way comparable to handing goods over to a shipping company that promises to get it safely from one place to the other. Something bad can happen along the way, and often does. Trains derail, ships sink or get attacked by pirates. This is why the insurance industry exists. Yes, data is slightly different because it can be copied, but you get the idea.
Anyway, as if on cue, I found in my in-box today a report from Bartkiewicz's company, CyberFactors, which specializes in risk analysis related to cloud services. It made for very interesting reading: It has estimated the financial costs associated with the Epsilon breach, and the findings should get your attention. The security breach and release of customer data at the e-mail marketing provider has exposed the company to liabilities that could be as high as $225 million. According to CyberFactors' research, as many as 75 other companies were involved and the total number of affected e-mail addresses may be as high as 60 million.
Dealing with the repercussions of the breach--informing customers about it, making changes to marketing strategies, and so on--could eventually cost those at the affected companies, which included household names like Best Buy, J.P. Morgan Chase, Citibank, Walgreen's, and the Walt Disney Company, as much as $412 million, pushing the aggregate cost of the incident to $637 million. Think about that. The exposure of an e-mail database could wind up costing more than half a billion dollars.
Yet even that isn't the worst of it. Once you take into account down-the-line costs, such as fines, forensic audits, litigation, and loss of business, the total cost could exceed $3 billion. Roughly half of the total costs to the affected companies will occur in the first year after the breach, and the rest will come in the second and third years. Security breaches have a way of costing long after the incident itself fades from the headlines. Cloud companies, CyberFactors argues, are going to have to start thinking more like banks, insurance companies, and hedge funds. The cloud is going to have to grow up.