I’ve been waiting for a clear delineation of liability when information in a public cloud inevitably gets stolen. The EU is pushing for making vendors liable (via Hack Naked TV). The problem is that there are two parties who could be “at fault” for a data breach: the cloud service provider, and the consuming firm. The cloud service provider might not have locked down its systems appropriately, thus allowing a third party to steal data. On the other hand, the consuming firm may have written poor code which is susceptible to exploitation—for example, allowing for SQL injection attacks.
I’m not a fan of having governments fill in this gap, at least through the legislature. This is really a classic case for common law and the court system probing through the implications. I don’t think there really is a truly correct answer which follows for all cases, however. I think it will be too much of a case-by-case decision-making process to formalize in any predictable manner. Really, you would need to determine who was at fault, and that would lead to legal debate. Skewing it one way or the other would make for more predictable relationships, but does have unintended consequences. Let’s take this particular case as an example. Suppose that the provider is liable in all cases—not just that the burden of proof is on the cloud provider to prove that it was not at fault, but any data breach whatever. In that case, cloud providers would be much more likely to lock down their service offerings more tightly than otherwise. You have to make sure that customers can’t screw things up, so you provide access only through special libraries. This would slow down the pace of innovation in the field and make it less likely that a public cloud would be a smart idea.