Legal Risks in the Cloud: Part 2
In my last blog posting I discussed barriers in achieving compliance and responding to eDiscovery orders when data are stored in the cloud. But these are just a few among the many legal risks in connection with cloud computing. One of the most serious risks is customers not knowing exactly where their data are being stored and processed and how (if at all) they are being safeguarded. This in turn translates to a number of concerns:
1. In what country are the data stored? I recently learned of a US company that contracted with a CSP to store its data. The company later found that the data were stored in India. Some of the data were restricted from distribution outside of the US because of International Traffic in Arms (ITAR) Regulations, however. A similar problem happens when European Union (EU) member countries have personal data stored by a CSP in systems that are not physically located in an EU country. And the possibility of transborder data flow only exacerbates the legal risks.
2. Are the stored data sufficiently secure? Are the controls that the cloud service provider (CSP) says are in place really in place? If the data are not secure and someone is able to access and copy them, all kinds of legal complications present themselves. Who is responsible for the data security breach, the CSP, the customer or both? Can the customer be held negligent for choosing a CSP that has had a history of poor data security practices and security breaches? If an attacker (including possibly an individual who is employed by the CSP) uses a system operated on behalf of the customer to break into other systems owned by other organizations, what chances does the customer have in court if it faces lawsuits based on downstream liability? The possibilities here seem almost endless.
3. What if the CSP agrees under the terms of a Service Level Agreement (SLA) or Statement of Work (SOW) to encrypt a customer’s data, but fails to do so (perhaps because encryption precludes data indexing), and the data are stolen? Or what if the CSP uses a weak encryption algorithm such that an attacker steals the data and then cracks the encryption, exposing all the stolen data? How responsible would the customer be if lawsuits over the compromise of Personally Identifiable Information (PII) or Personal Health Information (PHI) resulted? Additionally, states such as Nevada have laws that require encryption of certain types of data. Could the customer (in addition to the CSP) be charged with violation of these laws if the CSP does not encrypt the data entrusted to it?
4. To the best of my knowledge, currently 43 of the 50 states in the US have laws that require notification of individuals whose personal and financial data have been compromised. If the CSP who stores these data experiences a data security breach and is unaware of the breach or simply fails to report what has happened to the customer, has the customer (in addition to the CSP) violated the notification law?
I could go on and on about all the intriguing legal complications and entanglements associated with having a third party store, process and transmit a customer’s data, but I am sure by now you see the picture. And this is another whole side of cloud-related legal liabilities that I have not brought up yet, but I’ll wait until the next blog entry to discuss this.