Technology providers often offer product guarantees without specifying the consequences of failing to meet those promises. However, what value does a guarantee hold if it is riddled with numerous caveats and exceptions?
For decades, technology companies have promoted performance guarantees while consistently failing to clearly outline the repercussions if their products don’t perform as advertised.
I’ve been urging vendors to cease these misleading practices for an extended period – indeed, for a considerable time.
Recently, I was cautiously optimistic when Scality, a storage provider, unveiled a guarantee that included a commitment to pay $100,000 if their product didn’t perform as stated. Initial impressions were positive.
The company’s announcement proudly stated that this guarantee was notably free from a vast array of restrictions. According to Scality, their guarantee is crafted to be “clear and accessible,” contrasting with “complex vendor programs that advertise larger amounts but are difficult to claim.”
The firm asserted that the guarantee was “simple,” featuring “straightforward eligibility” criteria, and its executives extensively promoted these new initiatives.
During an interview, Scality CMO Paul Speciale expanded on this, criticizing other companies for imposing “long lists of stipulations and terms” and “onerous lists of conditions.”
Scality CEO Jérôme Lecat declared in a statement, “This cyber guarantee demonstrates our commitment to our architecture. It’s a straightforward promise that reflects our strong confidence.”
As journalists tend to be skeptical, these claims seemed overly optimistic. Consequently, I reviewed the company’s end-user license agreement (EULA). While I’ll delve into specifics shortly, it’s fair to say my initial doubts were confirmed.
Examine the EULA
The crucial takeaway for IT professionals? Always thoroughly review the EULA and all associated documents before committing to any agreements.
To begin, let’s examine the guarantee specific to users of its Artesca storage product: “A $100,000 financial guarantee for customers if an external cyberattack destroys or encrypts data stored immutably on Artesca. This program extends to all Artesca customers, without the necessity of acquiring additional services. Eligibility for the guarantee requires organizations to maintain Artesca’s updates and safeguard data using Object Lock in compliance mode.”
Setting aside the deeper limitations, even the fundamental offer itself contains restrictions. The cyberattack must originate externally, effectively excluding insider threats from this guarantee, and it must specifically destroy or encrypt data. Should an attacker merely exfiltrate data or gain unauthorized access without destroying or encrypting it, the customer receives no compensation. (This clip from Willy Wonka perfectly captures the sentiment.)
Furthermore, the omission of data exfiltration was a deliberate choice. Speciale clarified, “Even if credentials are stolen or leaked, we can prevent data stored immutably from being deleted or encrypted. However, anyone possessing valid access credentials can read and consequently exfiltrate data. While deletion/encryption is auditable, data exfiltration is not.”
Speciale further stated that his company has implemented measures to minimize the risk of a vendor-side attack compromising customer data. He explained, “Firstly, our support team does not possess the customers’ Artesca access credentials. Secondly, even if we did, our product incorporates MFA, meaning stolen credentials alone would be insufficient. The device facilitating the real-time second-factor authentication would also need to be under the attacker’s control, which is a far less common scenario. This would necessitate more active involvement from the individual targeted by social engineering, but again, we do not even have access credentials for the customers’ system initially.”
What additional constraints are hidden in the fine print? “Customers are required to notify Scality within 48 hours of identifying a qualifying incident and must collaborate in root cause analysis, providing pertinent logs and telemetry.”
Is that truly practical? A customer grappling with a recent cyberattack will undoubtedly be overwhelmed during the initial 48 hours. It’s highly probable that customers could miss this stringent deadline – assuming they are even aware of it – long before they consider filing a claim for compensation.
Speciale clarified that the 48-hour period is intended solely for an initial notification. He explained the brief timeframe: “If a customer delays reporting the incident for weeks or months, crucial system logs might be overwritten, and evidence of the breach’s origin could be lost, thereby making it impossible to ascertain whether the software malfunctioned or if a customer configuration error was responsible.” Thus, Scality requires these logs to determine the incident’s eligibility.
The guarantee’s diminished scope becomes even clearer in other areas. While the news release stated it “applies to every Artesca customer without requiring the purchase of additional services,” this isn’t entirely accurate, as it explicitly excludes free license users.
Furthermore, the documentation restricts the purported $100,000 payout to clients “with a minimum of 50TB license.” While this isn’t an excessively burdensome condition, it does contradict the assertion that the guarantee “applies to every Artesca customer.”
Additionally, a curious exclusion applies if an attacker commits any action beyond data deletion or encryption; the EULA stipulates that encryption or deletion must be “the direct and sole consequence” of the attack.
What Constitutes Sufficient Compensation?
Scality’s press release also features this intriguing statement: “Numerous Artesca customers safeguard 50TB or more, with annual software investments typically only a few thousand dollars. For these clients, a $100,000 payout signifies a substantial multiple of their yearly outlay, thus offering robust proportional assurance.”
However, if a breach arises due to vendor culpability, the critical question is the total cost incurred by the customer as a result of that error. If a client suffers a $15 million loss, the company’s CFO will hardly respond, “That’s acceptable because we only invested $10,000 in the product.” Such a company would demand complete indemnification.
This prompts the question: Is this guarantee merely a clever tactic to avoid potentially much larger civil court judgments? The EULA explicitly states: “Licensee acknowledges and agrees that the Guarantee Payment shall constitute the sole and exclusive remedy for any Qualifying Cyber Incident, and no other damages, including, but not limited to, direct, indirect, incidental, or consequential damages, shall be available to the Licensee.”
When questioned, Speciale indicated that other documentation signed by customers had already precluded alternative legal avenues, including civil lawsuits or arbitration.
He stated, “The guarantee is, in fact, an improvement, given that without the Cyber Guarantee, typical commercial agreements from most storage providers, Scality included, disclaim responsibility for data loss or security breaches. Our standard liability is additionally limited to the sum paid by the customer.”
Essentially, customers who fail to meticulously review and sign the initial agreements have already relinquished their entitlement to full restitution.
Perhaps loudly promoting a guarantee, even one burdened with numerous exemptions, is marginally preferable to offering no guarantee whatsoever. Nevertheless, the fundamental principle persists: the adage caveat emptor (buyer beware) is more pertinent now than ever.
