This week’s Lawyer’s Weekly features an article by Luis Milan titled Experts Warn Cloud Computing Still Risky. The article cites recent data breaches at Sony Corp. and Epsilon Data Management as a catalyst for concern around cloud computing, and goes on to cite several experts on the potential privacy implications of these data breaches.
The only problem? Neither data breach, as the article’s title implies, has anything to do with cloud computing.
The Sony data breach, where personal information for millions of its Playstation Network users was compromised, was not the result of Sony’s cloud computing infrastructure being compromised; instead, Sony’s on-premise computing infrastructure was compromised because it was running obsolete software with numerous security vulnerabilities. To make matters worse, Sony had been made aware of this via warnings in public forums. Likewise, the security breach at Epsilon, where customer names and e-mail addresses for hundreds of its blue-chip clients were compromised, was caused by the company’s own on-premise servers being hacked.
The stories cited in this article, and many of the quotes provides for the article, highlight the risk inherent in storing data electronically, especially if these storage systems are connectable via the Internet. Conflating the risks inherent in storing data electronically with risks specific to cloud computing is confusing at best and disingenuous at worst. Sony’s infrastructure could be considered analogous to a privately owned, poorly maintained aircraft; if such an aircraft crashed, no-one would consider penning an article calling all commercial aviation “risky”.
There’s no question that both Sony and Epsilon have mis-handled data that was entrusted to them. Sony, for one, was negligent in its duties by ignoring warnings that its systems were vulnerable. There’s no doubt that stronger privacy legislation should be enacted, and stronger penalties for companies that violate user’s trust should be implemented. This article, and the discussion around it, should really be about the ramifications of companies storing private user data; the method a company uses to store and retrieve this data, whether on-premise or cloud-based, is irrelevant.