Businesses liable for data breaches with cloud computing

Businesses have been warned to look before they leap when it comes to using cloud computing.

Nigel Miller, technology partner at London law firm Fox Williams LLP, said today there were many grey areas in cloud services – with the businesses themselves normally liable for any data breaches by the cloud service providers.

Miller told TechEye: “The first step is to look at Europe and the UK Data Protection Act. This says quite straightforwardly that if you engage with a third party data processor to process data on your behalf, then you as a company are still responsible primarily for what happens to that data.

“It’s your responsibility and the act imposes that responsibility on you.”

According to Miller, a certain amount of due diligence should be involved, with a business checking that the cloud company has adequate security guarantees in place.

But things can be slightly complicated by where companies are outsourcing their “data processing”.

He explained: “The problem is that many of them are not in the EU. If they are outside the EU then they are not responsible under the EU Data Protection legislation.”

Companies in Europe are not allowed to transfer data outside Europe without jumping through certain hoops. For example, if the data is going to a cloud server in the US, then this cloud company must be in the “Safe Harbor” scheme, which means they observe the minimum data protection standards.

However, Miller stressed that this did not change the liabilities, adding: “Typically, service providers in their Ts and Cs exclude all liability.” 

So if there was to be a data breach, the individuals who had their data leaked all over the internet would not be able to sue the cloud company.

Miller said: “The liability remains with the company. That’s not to say the cloud service provider has no responsibility for it – they might be liable to the company under the contract. But in terms of legal responsibility…”

So companies need proper due diligence to protect themselves. Miller said they needed to make sure they knew who they were handing the data over to and that proper security measures are in place. That meant looking at the contracts and not necessarily accepting the standard terms. 

“They should indemnify you (the company) if you get sued,” said Miller. So if there was an accidental security data breach, the company could get sued – and they in turn could sue the service provider. 

Kind of a reimbursement arrangement.

But Miller warned this was “extremely difficult” to put in place. He said: “There are no standard contracts really, this is very much a risk that is left with the company.

“In the future, things will evolve, but as they stand at the moment the risk is largely left with the company.”

And of course, if there is a security breach, there is the issue of who to tell.

Miller said: “If a company outsources its data processing to a third party, and it loses that info, should it tell the people whose data it is? Or any regulators? Do they own up?

“It’s one of the big topics at the moment.”

Miller said questions such as these were currently being discussed in the US and UK.

We also asked Dell what companies should be doing to protect themselves when using cloud computing.

Ferenc Szelenyi, vice president EMEA public sector services at Dell Services, advised businesses to be more careful with passwords.

He explained: “For their part, companies need to be more vigilant about how passwords are assigned, protected and changed. Cloud service providers typically work with numbers of third parties, and customers are advised to gain information about those companies, which could potentially access their data.

“An important consideration for cloud service customers, especially those responsible for highly sensitive data, is to find out about the hosting company used by the provider and if possible seek an independent audit of their security status.

“The UK Information Commissioner now has the power to levy fines on those who recklessly lose confidential or personal information. The level of fines could run to millions of pounds. At a time of economic uncertainty, it is a shame the government has had to resort to such tactics but perhaps it is necessary for the issue to get the attention it deserves.

“Organisations trading on a global scale will also need the best policies for worldwide customers and suppliers – so bringing UK legislation in line with the best in the world makes sense.”

Meanwhile, the leak of data managed by network security provider Omniquad has caused the Cloud Industry Forum to warn that this was “yet another example as to why customers have a natural fear of the risks associated with online business activity.”

In a statement, the Forum advised that it was in the final stages of developing an industry-wide code of practice for online service providers.

This would require vendors to “provide transparency about their business, capabilities and accountability for the services provided to enable end users to make an informed choice”.

Cloud Industry Forum chairman Andy Burton said: “According to our own research which is due to be published next week, whilst there is overwhelming support for, and interest in, cloud computing, it is the lack of confidence by consumers that is the biggest hurdle to the mainstream adoption of the cloud. This was followed by major concerns specifically over security.”