Cloud computing, as it moves closer to being a public utility like power and water, will be defined mostly by the risks involved. These include data privacy risks. As is often the case with new IT services riding a marketing boom, the risks of cloud computing tend to be minimized by the marketers. Yet it is by understanding, assessing and managing those risks that confidence in cloud computing can expand significantly, for both organizational and personal users of the cloud. Given the increasing deployment of bring your own device (BYOD) into the corporate space, the prior distinctions between organizational and individual data and process are becoming blurred, and thus the cloud risk evaluation process should be applicable to all types of users.

When evaluating the risks of cloud computing, organizations and individuals (hereafter, cloud consumers) need to take a hard look at both themselves and their cloud service providers (CSPs). Cloud consumers first need to understand how they organize and manage their confidential data, which then provides a foundation for assessing their CSPs. A standard methodology can be used in evaluating the risks for both cloud consumers and CSPs, whether the outsourcing is to private clouds, hybrid clouds or public clouds and regardless of the service model(s) used. Cloud consumers will first need to understand all the types of cloud computing risk before being able to assess and manage the risk.

There are six major categories of cloud computing risk: legal, data protection, contracting, governance, verification and response. Legal risk comes from the totality of all legal obligations that an organization has from all cloud-related statutes it is subject to globally. Data protection risk involves the design, implementation and evaluation of safeguards by the cloud consumer and CSP to protect the privacy of data. Contracting risk is how well cloud consumers have legally protected themselves against undesirable cloud-related events. Governance risk looks at how interoperable data and process are and how portable they are to new CSPs. Verification risk comes from the comprehensiveness and quality of independent third-party assurances about the CSPs used. Response risk involves dealing with security-related incidents that impact the consumer’s data privacy, including data breaches.

Privacy issues arise under both data protection risk and response risk. The protections to safeguard the privacy of data are well understood and not new with cloud computing, although they do reemphasize certain controls. For example, encryption is a must-have in the cloud computing world. Encryption must be deployed not only during transit from the cloud consumer to the CSP, but while stored by the CSP on disk, in mirror sites, on backup tapes, etc., and in use, to the extent possible. Data protection risk has both a technical/process aspect and a legal aspect, in complying with a burgeoning number of general; i.e., reasonableness, or specific; i.e., requiring information security policies, provisions in laws globally.

Similarly, response risk to a cloud data breach has both technical/process and legal aspects, plus an added dimension. The technical/process response includes how to identify that a security incident has occurred; how to quarantine the intrusion, repair infected systems and restore affected data, and how to undertake reviews and remediations to prevent recurrence. The added dimension is the business/reputational response, which tries to limit the impact on the entity’s financial viability, revenue loss and diminishing of trademarks and brand names. The legal response requires that organizations comply with a variety of statutory and regulatory requirements for notification, to get law enforcement and regulators involved and for imaging or safeguarding potential evidence.

There are many different data breach notification laws globally, often part of the local privacy laws, and these are growing. It is important to remember that when cloud consumers enter the cloud, they have by default become global players, meaning that they will likely be subject to the data privacy laws of more than one country. In Europe, the e-Privacy Directive requires EU member states to implement local legislation for service providers responsible for hosting and transmitting consumers’ data to notify the appropriate national authorities upon the event of a data breach. If consumers’ data is breached and the breach could have a negative impact on the consumers, they must then also be notified.

While there is yet no general federal data breach notification requirement in the United States, there are sector-specific regulations in healthcare and financial services for reporting of data breaches. Also, there are general data breach notification laws in almost every state. These laws typically require notification to consumers if their data is breached, thereby exposing them to risk of harm. This is most typically the case when the data is personally identifiable information or financial information that is stored in an unencrypted format. What may vary between the different state statutes is the type of information that must be reported, to whom it must be reported, and when it must be reported. These laws are constantly changing, as several U.S. states; i.e., Connecticut and Vermont, have recently revised their data breach statutory requirements.

In the Asia-Pacific region, there are both voluntary guidelines and industry-specific requirements to report breaches. For example, Australia has no general data breach statute but the government has issued voluntary guidelines. In Hong Kong, the proposed changes to the local privacy ordinance will make the breach notification process voluntary, but the government has promulgated guidelines and templates in advance of those changes. Japan has industry-sector regulations regarding data breach notification. In Taiwan and South Korea, newer revisions to privacy laws require data breach notifications. In China, local versions of data breach laws complement national breach notice regulations on service providers.

The legal response to a data breach when data is outsourced to the cloud essentially comes down to answering a series of questions:

  • What data breach notification and privacy laws are implicated by a data breach at a CSP, given that the data servers and consumers may be situated in disparate countries around the world?
  • Who is responsible for reporting a data breach, the CSP or the cloud consumer?
  • When must the breach be reported—immediately, after an investigation or perhaps never?
  • To whom must the breach be reported: the local data protection authorities, industry regulators, local and/or international law enforcement; i.e., Interpol, Department of Justice agencies and/or the data owners or their data custodians, if outsourced?
  • In what circumstances must the data breach be reported, such as when a certain number of records or a certain type of sensitive data was breached or when criminal activity is suspected?
  • What types of information must be reported?
  • How does the CSP know, in a virtual-resource multitenant cloud environment, which cloud consumer’s data has been breached?
  • What type of evidence must be saved for future criminal investigations or civil litigation; i.e., network and system logs or data/system images, and how can this be done in a multitenant cloud environment?

This example guidance from the Hong Kong government provides some insight into part of the legal response. It suggests that the data custodian first gather information, including when and where the breach occurred, how it was detected, the cause, what type of personal data was affected and the number of data subjects potentially impacted. It advises notifying data subjects when the “real risk of harm is reasonably foreseeable.” In its breach notification, it suggests including the date and time of the breach and its discovery, the cause of the breach, the personal data breached, the potential risks of harm, the remedial measures to ensure no further data loss, a contact person and number, the law enforcement or other agencies notified, what is being done to assist affected consumers and what they can do themselves to mitigate the risk of harm, such as identity theft and financial fraud.

With data breaches, all cloud consumers should take the approach that the question is not if they will happen but when—and will I be ready? Much like business continuity plans but with even less certainty as to timing, data breaches can and do occur, and to some of the best-known brand names and organizations, even those with a strong public Internet security profile. CSPs, by centralizing cloud consumers’ data, are a target for bad actors, so cloud consumers should create and test a robust response plan to use when the data breach event occurs and the privacy of their cloud-based data is compromised. This plan should address all three areas of cloud data breach response, as explained above, including the legal aspects. Only then can cloud consumers confidently expand their footprint in the cloud.

Written By

Thomas Shaw, CIPP/E, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»