top of page
process_bg_1
Search

If You Delete It, They Don’t Have to Save It

  • orio1985
  • Nov 19, 2025
  • 3 min read

Updated: Feb 6

error not found

This shocks people every single day. Delete a SharePoint site? Accidentally overwrite a folder? An employee empties their recycle bin? Ransomware encrypts OneDrive? Cloud vendors are not obligated to restore that data.


In Microsoft’s own agreement (buried 48 pages deep): “Microsoft is not liable for lost or unrecoverable content.” Google says the same. Dropbox says the same. Every cloud vendor says the same.


The cloud never promised retention; you assumed it.


That’s why cyber insurance carriers now ask: “How do you back up your cloud data?”


If your answer is: “Microsoft handles that…” you are already out of alignment.



Cyber Insurance Claims Are Being Denied Because Cloud Data Wasn’t Backed Up.


This is the new reality.


A growing number of SMBs are discovering that:


angry man

  • A deleted SharePoint folder

  • A corrupted OneDrive sync

  • A compromised Google Workspace account

  • A disgruntled employee wiping files


…counts as “customer-caused data loss.” Insurers treat it as your failure, not the vendor’s.


Claims get denied with language like:

“The insured did not maintain independent backups as required by the policy.”

Cloud is not a backup. Cloud is storage. Insurance only pays when you can prove you took precautions.


HIPAA, IRS 4557, and FTC Safeguards Do Not Accept “It Was in the Cloud”


Every compliance framework says the same thing:


Cloud storage is not compliant unless:

  1. MFA is enforced

  2. Logs are captured

  3. Backups exist

  4. Access is reviewed

  5. Data is encrypted

  6. You can prove all of the above


cloud only cares about uptime
Cloud focuses on uptime

Cloud vendors don’t do any of this for you. Because it’s not their job. This is why so many clinics, CPA firms, and legal offices fail audits: they think storing data in the cloud = compliance. It doesn’t.


HIPAA even spells it out:

“Covered entities are responsible for ensuring the confidentiality, integrity, and availability of ePHI stored with any vendor.”

You own the data. You own the risk. You own the proof.



Cloud Vendors Do Not Care About Your Audit


Microsoft doesn’t access your tenant or pull logs. Google doesn’t verify your MFA settings. Dropbox doesn’t produce your training evidence.


And they definitely do not help you prepare for:


claim denied no proof
My data in the cloud, its safe....

  • HIPAA audits

  • IRS 4557 reviews

  • Cyber insurance renewals

  • Vendor risk assessments


That is your responsibility, or your IT provider’s. The cloud is a tool, not a defense.



Most Data Loss Now Comes From Inside the Organization, Not Hackers


Cloud platforms make collaboration fast…but they also make mistakes permanent.


my data in cloud where is it?

The biggest causes of cloud data loss in 2025–2026 are:

  • Accidental deletion

  • Account takeover

  • Misconfigured permissions

  • Former employees with access

  • Third-party app integrations

  • Sync errors overwriting good files

  • Ransomware encrypting cloud drives


None of this is the vendor’s fault. None of this triggers “vendor liability.”


The cloud didn’t fail; your internal controls did.


That’s the part nobody wants to admit.



“But We Pay for Microsoft 365!”... Yes, And?


Microsoft gives you:

  • A place to store data

  • Basic recycle bin retention

  • Uptime


and its gone

That’s it.


If you want:

  • Versioning

  • Immutable backups

  • Archive retention

  • Legal hold

  • Geo-redundant storage

  • Full restore support

  • Audit logs


That’s your responsibility and often requires:

  • Third-party backup tools

  • SIEM solutions

  • MFA enforcement

  • Role-based access

  • Endpoint protection

  • Upcharge add-on licensing


Again, cloud vendors protect their infrastructure, not your mistakes.



The Hard Truth: The Cloud Is Not a Safety Net


It’s time SMBs stop treating the cloud like a magical vault. The cloud is:

  • Fast

  • Scalable

  • Convenient

  • Highly available


But it is not:


cant buy trust

  • Backed up

  • Compliant by default

  • Insured

  • Auditable

  • Immutable

  • Recoverable by the vendor


The privacy blanket is dead, and the sooner businesses accept this, the safer they become.



So What Should SMBs Do in 2026? (The Real Fix)


1. Back up all cloud data independently

SharePoint, OneDrive, Google Workspace, Dropbox, all need external backup.


2. Enforce MFA for every user

And don’t use SMS. Use authenticator apps or FIDO keys.


3. Review access quarterly

Least privilege isn’t optional; it’s required.


4. Capture logs

Whether via Wazuh or another SIEM.


5. Document everything

If it’s not documented, it didn’t happen.


6. Treat the cloud as storage, not protection

Because that’s exactly what it is.



Final Thoughts: Cloud Convenience Does Not Equal Cloud Safety


Cloud vendors give you power. They give you speed. They give you agility. But they do not give you protection.


Protection is still your responsibility. The businesses that accept that reality will be the ones who survive audits, avoid data loss, and stay insurable.


The privacy blanket is gone. Now it’s time to build real protection.


Not knowing something won't save you; I hear it way too often...

Ignorance is negligence.


do better with your IT

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page