Who Is Liable When the Cloud Is Hacked?

The Cloud is the future, we're told -- over and over. There's a good reason. Cloud computing, which uses remote servers to store, manage and process data, promises to offer affordability, scalability, and reduced costs.
But the cloud is a nebulous place, both legally and technologically. When sensitive data, stored on the cloud, gets hacked, who can be liable for the breach?
Hacking the Cloud
Data breaches involving cloud-based storage are nothing new. Some of the largest hacking scandals of the last few years have involved hacking the cloud, including the theft and dissemination of celebrity nude photos stored on Apple's iCloud service. Indeed, data breaches in the cloud are becoming more common and more costly, according to a report by the Ponemon Institute.
In some ways, liability for a cloud-based data breach is fairly straightforward. Parties that failed to take proper care in protecting data or did not live up to the terms of an agreement can be held liable for those failings. For it's part, Apple responded to the celebrity nudes hacking scandal by claiming that it never represented or guaranteed that the service would be "free from loss, corruption, attack, viruses, interference, hacking, or other security intrusions." Criminal liability for data breaches may also stem from telecommunications, ecommerce, IP, and data protection laws.
Who Governs the Cloud?
One of the most vexing liability issues involved in cloud computing is jurisdiction. Surprisingly, the cloud does not actually exist up in the air. Servers have a physical location, as do hackers and users. When a breach occurs, which jurisdiction's laws apply?
For example, in much of Europe, a data controller can be held liable for breaching the EU Directive on data protection. A data processor, however, will be subject to a lesser burden, according to a report in the "European Journal of Current Legal Issues." If the cloud service customer is European, the cloud storage is in Asia and a data breach emanates from the United States, there's no clear answer as to whose laws would govern.
As most commentators note, new legislation and greater clarification on existing law is needed to help predict and apportion liability for breaches. In the mean time, the best way to solve cloud liability issues is to avoid a data breach altogether.
Related Resources:
- Four in Five Execs Think Conventional Security Is not Enough for Cloud Environments (Cloudtech)
- Start Ups Try to Bring eDiscovery to the Cloud (FindLaw's Technologist)
- How Cloud Storage and Confidentiality Can Work Together (FindLaw's Technologist)
- Safety In the Cloud (FindLaw's Technologist)