Since the European Commission outlined its overhaul of EU data protection laws in June, debate has continued about the scope and impact of the reforms, especially in reference to cloud computing.
The draft document is not due out until November but there has been considerable speculation on the details of the Directive, particularly over whether it will shift liability to the cloud provider in the event of a data breach.
It has been suggested in some quarters (see here) that the updated Directive will include a provision ‘asking’ cloud providers to validate the security properties of their service infrastructure and to accept legal responsibility for any data losses that occur while that data is in their custody. It is suggested that cloud service vendors who signed up to the scheme and accept legal responsibility would have a competitive advantage. This would be based on customer confidence derived from independent validation, compared to vendors not signed up to the scheme.
In principle this could help to drive adoption of cloud services, particularly those associated with handling sensitive data. But you have to question the logic of that argument.
Firstly, the prospect of a shift in liability sounds appealing but is it really going to make a difference? Even if your cloud service provider is held legally responsible for losing your customers’ data, it’s still your customers’ data that is lost and your reputation that is damaged. Imagine if an online retailer were to lose customer credit card details as a result of a hacker infiltrating a cloud vendor’s data centre. Irrespective of where legal liability lies, it is still the retailer that would have to disclose the breach to its customers and suffer the financial and reputational damage.
Secondly, there’s the practical issue that virtually no cloud providers will be prepared to accept liability. Few cloud providers have any knowledge of the data that they process and have no ability to calculate the value or risk attached to it. The controls and monitoring systems that would be necessary to support the technical and legal finger pointing to establish the source of a breach would be too overwhelming.
Thirdly –accrediting cloud services from a security perspective is somewhat of a lofty goal. In the enterprise sector, PCI DSS (which has a much narrower focus) has still taken years to create and relies on a huge network of supporting parties. To define and enforce an accreditation scheme suitable for the numerous and diverse data types and security objectives involved in generic cloud services is, in reality, not feasible.
If the goals of the Directive are to stimulate the adoption of cloud computing and motivate cloud providers to take security more seriously, then it’s a worthy cause. But security is such a contextual concept that it’s almost impossible to apply blanket mandates. Cloud vendors provide a variety of services that handle different types of data that are subject to different protection requirements. It is up to the organisations taking up their services to evaluate whether a cloud provider can meet their SLA requirements and be trusted to safeguard data, or not.