Liability in the cloud: a complex forecast
Who should be held liable for data breaches when information flows across international borders via the cloud?
- By Rutrell Yasin
- Jun 20, 2011
As data is stored and transmitted across international borders via cloud infrastructures a growing concern is: who should be held liable for data breaches when information flows across jurisdictions?
Should it be the cloud provider or the country in which the breach occurred?
So far that situation hasn't become a practical problem, but could become a serious one in the future, according to Phillip Verveer, U.S. coordinator of international communications with the State Department.
Cloud computing services are being provided on a multinational basis and data centers are in numerous countries. Employees are handling that data in potentially more countries, Verveer said. Also, intermediate vendors provide the translation services between and among the data centers.
“So you have the possibility of assertions of jurisdictions occurring in numerous national judicial systems,” Verveer said.
“Sorting these things out on an international level is no small activity,” Verveer said during a panel discussion evaluating the Cloud Computing Act of 2011 sponsored by the Brookings Institution on Capitol Hill in Washington, D.C. on June 16th.
How to be a cloud
Why you can quit worrying about cloud security
Sponsored by Senators Amy Klobuchar (D-Minn.) and Orrin Hatch (R-Utah), The Cloud Computing Act of 2011 is draft legislation that encourages the U.S. government to negotiate with other countries to establish consistent laws related to online security and cloud computing.
Typically the terms of condition for service will disclaim any liability or indemnification on the part of the service provider, Verveer noted. The next question is: will courts honor contractual provisions that disclaim liability? “My guess is that in many instances, probably not,” Verveer said.
The international community has to develop norms and conventions where one, or another jurisdiction can respect the notion that a proper place for judicial disputes is wherever it is specified by the contract, he noted.
The international community is at an early stage in understanding liabilities related to the cloud. However, “the possibility of jurisdictional complications are large and as time passes will become a real issue,” Verveer said.
Perhaps the concept of digital embassies might help, said Charles Firestone, executive director of communications and society program at The Aspen Institute. “You would be treated under the law you came in under throughout the transmission of that data wherever it went,” he said.
So much like going into a U.S. embassy in another nation, a person is on American territory and subjected to this country’s laws, Firestone said.
“Let me paint a vignette to drive home the complexity,” a hypothetical situation, said Dan Reed, corporate vice president of technology, policy and strategy and leader of the eXtreme computing group at Microsoft Corp.
“You are Kenyan working for a German multinational whose data is hosted in a U.S. data center and you are traveling in China. Whose laws apply? That is the complexity of the problem,” Reed said.
Rutrell Yasin is is a freelance technology writer for GCN.