The federal government continues to put pressure on cloud service providers. On March 22, 2023, the Federal Trade Commission (FTC) issued a Request for Information (RFI) seeking public input on the market power and business practices of cloud service providers and their effect on competition and data security. Among other things, the RFI seeks comment on:

  • Practices cloud service providers use to enhance or secure their market position;
  • The extent to which cloud service customers are able to negotiate contracts with providers, or whether contracts are provided on a take-it-or-leave-it basis;
  • Incentives offered by cloud service providers for customers to use more services from a single provider;
  • Artificial intelligence-related services offered by cloud service providers and the extent to which such services are dependent on a specific cloud platform or are platform agnostic;
  • Barriers to competing with existing cloud infrastructure providers, including difficulties customers may face when switching from one provider to another or mixing and matching multiple providers' services;
  • The competitive dynamics of cloud services markets, including the interplay between different layers of the cloud ecosystem and the players operating in them;
  • The security and resiliency risks of particular segments of the economy being dependent on a small number of cloud providers;
  • Security diligence and monitoring conducted by customers of cloud service providers, including whether customers can comply with contractual or legal obligations to do diligence on and monitor service providers;
  • Representations by cloud service providers about their data security practices;
  • When cloud service providers inform customers of security vulnerabilities and other risks; and
  • How cloud service providers and their customers allocate responsibility for securing personal information and responding to data breaches.

The RFI says that the FTC is especially interested in gathering information on cloud computing in the healthcare, finance, transportation, eCommerce, and defense industries. An FTC blog post accompanying the RFI's publication notes the increased reliance on cloud computing especially for the healthcare and finance industries, and for the proliferation of chatbots powered by large language models. The blog post identifies three of the FTC's concerns with the cloud services industry:

  • Single point of failure, i.e., the risk that a major outage at a single cloud provider could disrupt large parts of the economy. As noted in the FTC blog post, the Department of the Treasury recently issued a report listing several security and resiliency concerns for the financial services industry related to cloud computing—including that an outage at one provider could "have a cascading impact across the broader financial sector." Similar concerns also appear to drive some of the Securities and Exchange Commission's proposed amendments to Regulation Systems Compliance and Integrity (Reg SCI). Those amendments (which we discuss here) would require regulated entities (generally, those that play a significant role in the functioning of the U.S. securities markets) to perform risk assessments of their cloud service providers, including of whether they may be too dependent on a single provider, and to consider "exit strategies" for switching providers.
  • Security risks, particularly those that may arise from customers misconfiguring cloud services. The FTC's blog post quotes Jen Easterly, the Director of the Cybersecurity & Infrastructure Security Agency (CISA) at the Department of Homeland Security, in highlighting a concern that cloud service providers place disproportionate burdens on consumers and small organizations to secure cloud services and data.
  • Market power and effects on competition. The blog post also highlights concerns that customers may be faced with less competitive contract terms, confusing pricing structures that make comparing providers difficult, and barriers to switching providers or using multiple providers simultaneously.

The RFI comes on the heels of the Biden Administration's release of its National Cybersecurity Strategy (we discussed the strategy here). Among other things, the National Cybersecurity Strategy aims to shift liability for cybersecurity vulnerabilities to providers of software products and services (certainly including cloud service providers) that "fail to take reasonable precautions to secure their software…." The strategy specifically calls for federal legislation prohibiting providers with "market power" from fully disclaiming liability for vulnerabilities and establishing heightened security standards for software in certain "high-risk scenarios."

We expect the agency will pay especially close attention to comments submitted by service providers that operate within the cloud ecosystem. Against the backdrop of the FTC's reinvigorated policy of rigorously enforcing the federal ban on "unfair methods of competition" under Section 5 of the FTC Act, the RFI could potentially lay the groundwork for enforcement actions against cloud service providers. Some of the conduct identified in the FTC's recent Section 5 Policy Statement that could be implicated by the RFI includes exclusive deals with cloud customers or partners as well as tying ancillary services to a core cloud product and other methods of leveraging market power from a cloud service to adjacent offerings in the cloud ecosystem. The responses to the RFI could also inform how the agency goes about reviewing mergers and acquisitions involving cloud providers. Recent FTC priorities that could apply to the cloud provider context include vertical acquisitions in adjacent offerings as well as nascent deals involving upstarts who are positioned to become eventual rivals.

Next Steps

Responses to the RFI must be submitted by May 22, 2023. Comments may be submitted here.

DWT's Privacy and Security team will continue to monitor the FTC's actions and information gathering efforts related to cloud services.