Cloud computing, as it moves closer to being a public utility like power and water, will be defined mostly by the risks involved. These include data privacy risks. As is often the case with new IT services riding a marketing boom, the risks of cloud computing tend to be minimized by the marketers. Yet it is by understanding, assessing and managing those risks that confidence in cloud computing can expand significantly, for both organizational and personal users of the cloud. Given the increasing deployment of bring your own device (BYOD) into the corporate space, the prior distinctions between organizational and individual data and process are becoming blurred, and thus the cloud risk evaluation process should be applicable to all types of users.

When evaluating the risks of cloud computing, organizations and individuals (hereafter, cloud consumers) need to take a hard look at both themselves and their cloud service providers (CSPs). Cloud consumers first need to understand how they organize and manage their confidential data, which then provides a foundation for assessing their CSPs. A standard methodology can be used in evaluating the risks for both cloud consumers and CSPs, whether the outsourcing is to private clouds, hybrid clouds or public clouds and regardless of the service model(s) used. Cloud consumers will first need to understand all the types of cloud computing risk before being able to assess and manage the risk.

There are six major categories of cloud computing risk: legal, data protection, contracting, governance, verification and response. Legal risk comes from the totality of all legal obligations that an organization has from all cloud-related statutes it is subject to globally. Data protection risk involves the design, implementation and evaluation of safeguards by the cloud consumer and CSP to protect the privacy of data. Contracting risk is how well cloud consumers have legally protected themselves against undesirable cloud-related events. Governance risk looks at how interoperable data and process are and how portable they are to new CSPs. Verification risk comes from the comprehensiveness and quality of independent third-party assurances about the CSPs used. Response risk involves dealing with security-related incidents that impact the consumer’s data privacy, including data breaches.

Privacy issues arise under both data protection risk and response risk. The protections to safeguard the privacy of data are well understood and not new with cloud computing, although they do reemphasize certain controls. For example, encryption is a must-have in the cloud computing world. Encryption must be deployed not only during transit from the cloud consumer to the CSP, but while stored by the CSP on disk, in mirror sites, on backup tapes, etc., and in use, to the extent possible. Data protection risk has both a technical/process aspect and a legal aspect, in complying with a burgeoning number of general; i.e., reasonableness, or specific; i.e., requiring information security policies, provisions in laws globally.

Similarly, response risk to a cloud data breach has both technical/process and legal aspects, plus an added dimension. The technical/process response includes how to identify that a security incident has occurred; how to quarantine the intrusion, repair infected systems and restore affected data, and how to undertake reviews and remediations to prevent recurrence. The added dimension is the business/reputational response, which tries to limit the impact on the entity’s financial viability, revenue loss and diminishing of trademarks and brand names. The legal response requires that organizations comply with a variety of statutory and regulatory requirements for notification, to get law enforcement and regulators involved and for imaging or safeguarding potential evidence.

There are many different data breach notification laws globally, often part of the local privacy laws, and these are growing. It is important to remember that when cloud consumers enter the cloud, they have by default become global players, meaning that they will likely be subject to the data privacy laws of more than one country. In Europe, the e-Privacy Directive requires EU member states to implement local legislation for service providers responsible for hosting and transmitting consumers’ data to notify the appropriate national authorities upon the event of a data breach. If consumers’ data is breached and the breach could have a negative impact on the consumers, they must then also be notified.

While there is yet no general federal data breach notification requirement in the United States, there are sector-specific regulations in healthcare and financial services for reporting of data breaches. Also, there are general data breach notification laws in almost every state. These laws typically require notification to consumers if their data is breached, thereby exposing them to risk of harm. This is most typically the case when the data is personally identifiable information or financial information that is stored in an unencrypted format. What may vary between the different state statutes is the type of information that must be reported, to whom it must be reported, and when it must be reported. These laws are constantly changing, as several U.S. states; i.e., Connecticut and Vermont, have recently revised their data breach statutory requirements.

In the Asia-Pacific region, there are both voluntary guidelines and industry-specific requirements to report breaches. For example, Australia has no general data breach statute but the government has issued voluntary guidelines. In Hong Kong, the proposed changes to the local privacy ordinance will make the breach notification process voluntary, but the government has promulgated guidelines and templates in advance of those changes. Japan has industry-sector regulations regarding data breach notification. In Taiwan and South Korea, newer revisions to privacy laws require data breach notifications. In China, local versions of data breach laws complement national breach notice regulations on service providers.

The legal response to a data breach when data is outsourced to the cloud essentially comes down to answering a series of questions:

  • What data breach notification and privacy laws are implicated by a data breach at a CSP, given that the data servers and consumers may be situated in disparate countries around the world?
  • Who is responsible for reporting a data breach, the CSP or the cloud consumer?
  • When must the breach be reported—immediately, after an investigation or perhaps never?
  • To whom must the breach be reported: the local data protection authorities, industry regulators, local and/or international law enforcement; i.e., Interpol, Department of Justice agencies and/or the data owners or their data custodians, if outsourced?
  • In what circumstances must the data breach be reported, such as when a certain number of records or a certain type of sensitive data was breached or when criminal activity is suspected?
  • What types of information must be reported?
  • How does the CSP know, in a virtual-resource multitenant cloud environment, which cloud consumer’s data has been breached?
  • What type of evidence must be saved for future criminal investigations or civil litigation; i.e., network and system logs or data/system images, and how can this be done in a multitenant cloud environment?

This example guidance from the Hong Kong government provides some insight into part of the legal response. It suggests that the data custodian first gather information, including when and where the breach occurred, how it was detected, the cause, what type of personal data was affected and the number of data subjects potentially impacted. It advises notifying data subjects when the “real risk of harm is reasonably foreseeable.” In its breach notification, it suggests including the date and time of the breach and its discovery, the cause of the breach, the personal data breached, the potential risks of harm, the remedial measures to ensure no further data loss, a contact person and number, the law enforcement or other agencies notified, what is being done to assist affected consumers and what they can do themselves to mitigate the risk of harm, such as identity theft and financial fraud.

With data breaches, all cloud consumers should take the approach that the question is not if they will happen but when—and will I be ready? Much like business continuity plans but with even less certainty as to timing, data breaches can and do occur, and to some of the best-known brand names and organizations, even those with a strong public Internet security profile. CSPs, by centralizing cloud consumers’ data, are a target for bad actors, so cloud consumers should create and test a robust response plan to use when the data breach event occurs and the privacy of their cloud-based data is compromised. This plan should address all three areas of cloud data breach response, as explained above, including the legal aspects. Only then can cloud consumers confidently expand their footprint in the cloud.

Written By

Thomas Shaw, CIPP/E, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»