I have designed a customer management service for a client, and my client is currently deciding which web host provider they want to use to host the database containing their customers' personal information. I suggested to them that they use Winhost. However, my client is particularly concerned about data security and wants assurances from Winhost about who is liable in the event of a data breach or hack before they choose to sign up. I am well aware that in all likelihood, a data breach will originate from errors I have inadvertently placed within my customer management service, in which case I should be held liable for any exploit of my system that harms their customers' personal information. I'm also aware of the Website Security options that Winhost provides to help prevent such data breaches, and that even with those features implemented, I would still be liable. However, for full disclosure, I am wondering what Winhost's policy and acceptance of liability is in regards to acts that compromise Winhost's servers. In particular, I would like to be able to address my client's concerns to the following two (somewhat extreme and unlikely) scenarios: 1. Winhost's servers are hacked through a server exploit (independent of me or my client). Hacker destroys and/or makes off with copies of the database(s) containing the personal information of my client's customers. Let's assume that backups are destroyed. 2. Winhost's servers are physically compromised. Thieves destroy and/or make off with the physical drives containing the personal information of my client's customers. Again, assume no backups are available. How does Winhost respond to these kinds of attacks and what sort of equitable relief is provided for possible damages that might be incurred as a result of the stolen or destroyed data? Links to online policies or related legal documents would be appreciated. I've found the following resources helpful for shedding some light on this issue: General Information on the Winhost data center facility Lists the physical specifications and security measures of the facility containing Winhost's servers. Winhost Acceptable Use Policy Clearly outlines the rules regarding how a Winhost user is supposed to use their website and where liability rests in the event a user misuses their site. Winhost Terms of Service States that "Customer will be solely responsible for the development, operation, and maintenance of Customer Content" and also provides what Winhost's "Remedies" are to malfunctioning Customer Content. Winhost Privacy Policy Clearly defines how a Winhost member's identity and personal information is protected. Any other information you can provide would be greatly appreciated. Thank you.
As you suggested, website/database exploits happen on the individual site level, not on a server level. We haven't had an instances similar to your examples, so I can't tell you how we've responded to a hacker destroying or stealing customer data in the past. We haven't had to respond to that happening. Having said that, and to answer your question, "what sort of equitable relief is provided for possible damages that might be incurred as a result of the stolen or destroyed data?" directly and honestly: we don't take liability where data loss is concerned. That isn't unique to us, it applies to pretty much every online service you can name, regardless of price. But as far as website and database hosting is concerned, there isn't anyone who is going to financially compensate a customer for lost data (with the exception of service credits or discounts). That isn't because we're all inept or lackadaisical or that we expect to lose your data. I think the idea of data responsibility goes back a long way, to a kind of understanding between hosts and users on every level that a user's data - and the safeguarding of that data - is a user's responsibility. As it should be if you value it. That's why we offer an automated site file and database backup service that lives outside of our network, and is separate from our own daily backups. It isn't because we don't have faith in what we do. It's to give you an additional, optional place to keep copies of your data. Just an ace up your sleeve should something disastrous happen.
