Liability in the cloud: a complex forecast

Who should be held liable for data breaches when information flows across international borders via the cloud?

As data is stored and transmitted across international borders via cloud infrastructures a growing concern is: who should be held liable for data breaches when information flows across jurisdictions?

Should it be the cloud provider or the country in which the breach occurred?

So far that situation hasn't become a practical problem, but could become a serious one in the future, according to Phillip Verveer, U.S. coordinator of international communications with the State Department.

Cloud computing services are being provided on a multinational basis and data centers are in numerous countries. Employees are handling that data in potentially more countries, Verveer said. Also, intermediate vendors provide the translation services between and among the data centers.

“So you have the possibility of assertions of jurisdictions occurring in numerous national judicial systems,” Verveer said.

“Sorting these things out on an international level is no small activity,” Verveer said during a panel discussion evaluating the Cloud Computing Act of 2011 sponsored by the Brookings Institution on Capitol Hill in Washington, D.C. on June 16th.


Related coverage:

How to be a cloud

Why you can quit worrying about cloud security


Sponsored by Senators Amy Klobuchar (D-Minn.) and Orrin Hatch (R-Utah), The Cloud Computing Act of 2011 is draft legislation that encourages the U.S. government to negotiate with other countries to establish consistent laws related to online security and cloud computing.

Typically the terms of condition for service will disclaim any liability or indemnification on the part of the service provider, Verveer noted. The next question is: will courts honor contractual provisions that disclaim liability? “My guess is that in many instances, probably not,” Verveer said.

The international community has to develop norms and conventions where one, or another jurisdiction can respect the notion that a proper place for judicial disputes is wherever it is specified by the contract, he noted.

The international community is at an early stage in understanding liabilities related to the cloud. However, “the possibility of jurisdictional complications are large and as time passes will become a real issue,” Verveer said.

Perhaps the concept of digital embassies might help, said Charles Firestone, executive director of communications and society program at The Aspen Institute. “You would be treated under the law you came in under throughout the transmission of that data wherever it went,” he said.

So much like going into a U.S. embassy in another nation, a person is on American territory and subjected to this country’s laws, Firestone said.

“Let me paint a vignette to drive home the complexity,” a hypothetical situation, said Dan Reed, corporate vice president of technology, policy and strategy and leader of the eXtreme computing group at Microsoft Corp.

“You are Kenyan working for a German multinational whose data is hosted in a U.S. data center and you are traveling in China. Whose laws apply? That is the complexity of the problem,” Reed said.

About the Author

Rutrell Yasin is is a freelance technology writer for GCN.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.