The Shared Responsibility Model: Balancing Liability in a Matrix of Service Providers

As companies continue to develop new and innovative technologies, streamlining and automating operations, there is an increasing reliance on a number of third-party services to provide services and efficiencies. Each of these third-party providers adds (or attempts to add) a unique new *twist* on the old: more functionality, hopefully improved security, and any other add-ons that could prove to be that differentiator in an already competitive market.

But, as companies increasingly rely on an infrastructure supported by a spider web of numerous providers, the owner of the security and privacy risk is becoming blurred. And, determining the “risk owner” is key to understanding who is liable for a failure in protecting against that risk. With breaches and privacy violations on the rise (a seeming daily occurrence), and liability for those breaches and violations continue to evolve; a comprehensive risk mitigation program is completely reliant on understanding responsibilities and when and where those responsibilities can and are being transferred.

Within this environment, the “shared responsibility model” is gaining traction. This term is commonly linked to Amazon Web Services (“AWS”), who is known for embracing and relying on this model. AWS describes the chain of responsibility within its environments as follows:

This shared model can help relieve customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall.

In essence, AWS takes care of the infrastructure, the customer is responsible for the use and configuration of that infrastructure.

In a business-to-business transaction, this type of model may make sense: you could argue that it is reasonable to expect both parties to have the level of sophistication to meet their respective responsibilities. Or, if a party is lacking a certain expertise, to hire someone to address that need. This argument breaks down, however, when you start to look into the burdens placed on small businesses. There is a general lack of understanding across a wide variety of industries on security, privacy, and the risks associated with technology (although, you could make the argument that the security offered by an AWS environment is better than what a small business could produce on its own — you can see why this area is fraught with many diverging opinions).

Another issue with the shared responsibility model is when multiple services are being linked together, like an intricate puzzle, to provide services to end users. Where does the responsibility lie in those types of situations? Take, for example, the recent complaint filed against AT&T by a cryptocurrency investor Michael Terpin. In the complaint, Terpin claims that he lost $24 million because of AT&T’s failure to adequately secure his phone account. The complaint also states that an internal employee at AT&T assisted the perpetrators (either intentionally or inadvertently) by allowing them to swap his existing phone number to a new sim card, thereby taking control of his phone number and all that was attached to it (“SIM Swap Fraud”).

SIM Swap Fraud is becoming more prevalent as individuals increasingly rely on their phones for everyday life and for authentication in the digital world. There is an heightened emphasis on securing our online accounts and identities with two-factor authentication (“2FA”); however, if an end user employs 2FA using a texted code to their mobile device (“SMS 2FA”), this security is obliterated if that end user’s phone number is taken over by bad actors (i.e. SIM Swap Fraud). While SMS 2FA does provide an added layer of protection for an account, it is one of the weakest forms of 2FA and known to be vulnerable because of its reliance on the phone industry.

Regardless of these known vulnerabilities many industries, including the banking industry, rely solely on SMS 2FA as a method of securing your online accounts. As end users, we often do not have a choice in the security mechanisms employed by the company providing our services.

The complaint against AT&T gives rise to an interesting (if tangential) discussion on the balance between numerous services and the shared responsibility model. The cryptocurrency platform where Terpin maintained accounts had a responsibility to provide a method to secure a user’s account. Should the cryptocurrency company be held responsible if it fails to provide a 2FA option? Should it be responsible if it uses 2FA option that has a known vulnerability (i.e., SMS 2FA)? Is an end user responsible if his account is taken over if he fails to enable 2FA? Is the phone company responsible for its failure to ensure that a phone number is not fraudulently swapped?

Where does the balance of responsibilities lie?

If the cryptocurrency platform only permitted 2FA that did not rely on SMS, Terpin’s accounts may have remained secure even though his phone number was swapped. But, is the failure to provide a non-SMS 2FA method enough to place responsibility on the cryptocurrency platform? Is it reasonable for the cryptocurrency platform to rely on SMS 2FA and, by extension, the phone company security?

As technologies continue to develop and build matrix-like infrastructures that rely on multiple third-party service providers, the evolution of the “shared responsibility model” and how it interplays with liabilities and contractual obligations is becoming increasingly complex. We often reiterate that “you are only as strong as your weakest link.” This is never as clear as in the context of security and understanding how every technology you use, from your phone system to your hardware to your cloud providers and online accounts, is interrelated and can ultimately impact your digital security. Every digital “footprint” you make in the sand of technology creates another point of vulnerability. Managing those responsibilities, and decreasing your own exposure, is an evolving analysis: as the law races to catch up to the evolution of technology, court decisions will play a growing role in dictating the balance between different companies and how these responsibilities (i.e. liabilities) shake out.


Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.