Pocket Change – Who pays the costs for a data breach in the Cloud?
Cloud computing is being aggressively marketed by major vendors such as Microsoft, Google, and Amazon as a solution with significant benefits. Although there are many benefits there are also inherent risks such as a lack of regulations, standards, and data security. Major breaches at Google, Salesforce.com, Twitter, and Amazon have all proven that there are hidden costs and repercussions from compromised data.
One of the most challenging aspects is where is the data going to end up? It’s not unusual for a cloud vendor to store data on servers managed by another company, or even in another country. In reality, there can be two or more degrees of separation between your company and your company data. Cloud service providers tend to be vague about their architectures and where the data is stored. Concurrently, state and federal regulations govern the management of health-related and other personal data, and from the legal aspect will not accept an ‘I don’t know’ as an answer to questions where data is being stored.
The service providers aren’t trained in privacy issues nor are they required to perform background checks on employees, yet for the organization security should be an enormous concern. The number of high-profile hacks on government and companies is growing all the time. It also doesn’t appear that companies are learning from the hack. After being repeatedly hacked last year and despite protestations on each occasion that it had learned from its mistake, Sony got hacked yet again.
The notion that cloud service providers will become military-grade privacy protectors is a pipe dream. Even the military gets hacked – remember Wikileaks? Another issue is who is to notify people of compromised personal data, the service provider or the organization? Who pays those costs? If an internal end user posts data that can be compromised, again who is responsible? The organization ultimately is responsible for the accountability of data not the service provider.
The onus is on the organization. Joyfully looking at the cloud as a one-stop solution to all IT problems, data accountability and protection of confidential information should be managed internally. This requires incorporation into the Information Governance plan of the organization (assuming they have one) and processes to protect confidential data from ever getting to the cloud. Regardless of the size of the organization or the industry, data privacy should be a high priority to ensure that content is proactively identified and protected. Whether it is an internal or external breach of confidential information, the stakes are too high not to address this issue.
If not addressed, cross your fingers and hope it never happens to your organization. The average cost of a data breach is $6.3 million and ranges from $225 thousand to $35 million (Ponemon Institute).
Pocket change – right?
Additional information can be found in our white paper Managing Unstructured Content in the Cloud if you are interested.