Clouding the Issue

This week’s Lawyer’s Weekly features an article by Luis Milan titled Experts Warn Cloud Computing Still Risky. The article cites recent data breaches at Sony Corp. and Epsilon Data Management as a catalyst for concern around cloud computing, and goes on to cite several experts on the potential privacy implications of these data breaches.

The only problem? Neither data breach, as the article’s title implies, has anything to do with cloud computing.

The Sony data breach, where personal information for millions of its Playstation Network users was compromised, was not the result of Sony’s cloud computing infrastructure being compromised; instead, Sony’s on-premise computing infrastructure was compromised because it was running obsolete software with numerous security vulnerabilities. To make matters worse, Sony had been made aware of this via warnings in public forums. Likewise, the security breach at Epsilon, where customer names and e-mail addresses for hundreds of its blue-chip clients were compromised, was caused by the company’s own on-premise servers being hacked.

The stories cited in this article, and many of the quotes provides for the article, highlight the risk inherent in storing data electronically, especially if these storage systems are connectable via the Internet. Conflating the risks inherent in storing data electronically with risks specific to cloud computing is confusing at best and disingenuous at worst. Sony’s infrastructure could be considered analogous to a privately owned, poorly maintained aircraft; if such an aircraft crashed, no-one would consider penning an article calling all commercial aviation “risky”.

There’s no question that both Sony and Epsilon have mis-handled data that was entrusted to them. Sony, for one, was negligent in its duties by ignoring warnings that its systems were vulnerable. There’s no doubt that stronger privacy legislation should be enacted, and stronger penalties for companies that violate user’s trust should be implemented. This article, and the discussion around it, should really be about the ramifications of companies storing private user data; the method a company uses to store and retrieve this data, whether on-premise or cloud-based, is irrelevant.


  1. I side with you that the issues of data-security and integrity of the “Cloud” are easily conflated, and not always with great reason.
    Has anyone else seen this recent survey of IT professionals in the law industry?
    For one question almost half of the respondents agreed that the “Cloud” has serious compliance issues (which is admittedly true in BC where the regulators have not exactly heralded in the “Cloud” with unreserved welcome, and thus official compliance hangs with a question mark). However, a canny 10% stated:

    “‘Cloud’ is a myth – law firms need to know their applications and data are handled by known entities, which isn’t ‘cloud’ at all.”

    This echoes what you say at the end of your post, “This article, and the discussion around it, should really be about the ramifications of companies storing private user data; the method a company uses to store and retrieve this data, whether on-premise or cloud-based, is irrelevant.”

  2. Thanks for the comment Nate. I think for all it’s got going for it as a marketing term, “the cloud” does connote a certain nebulous quantity. At the end of the day your data isn’t just being stored “up there” in the cloud somewhere, it’s physically stored with a specific company.

  3. Ryan Mattinson

    It’s never been clear to me what “the cloud” or “cloud computing” actually are. The way these terms are most often used tends to confusingly mash together one or more concepts which have been more clearly defined by existing terms such as “the Internet”, “online storage/backup”, “software as a service” and “virtual private servers/networks”. None of these are anything new.

    One party’s server is another party’s cloud. This means the breaches in question may or may not deal with cloud computing depending on whether they’re being discussed from the perspective of the service provider or the users. From the perspective of the users, the breached information was stored “in the cloud”. The Wikipedia page for cloud computing is painfully amorphous and should be enough to convince most people that these terms are too confused to be of any use in legal or technical writing. Let’s leave them to media and advertising where they may yet serve some purpose.

  4. Ryan, I agree – the “cloud” has become an all-encompassing term to include almost any device connected to the internet. However, from my perspective “cloud computing” is really about choosing to host data with a third party that is operating their own cloud-based infrastructure (for example, Amazon’s EC2 cloud computing service).

    In the case of Sony, they hosted all their own data internally (i.e. “on-premise) and were directly responsible for the maintenance and security of their computing infrastructure. There was no reliance upon, or fault caused by, cloud computing.

    The discussion should really be about the increasing number companies our private data is entrusted to; the threat of that data being compromised rises inexorably every year.

  5. This is a really important issue, especially from a privacy compliance perspective. For me, the two most salient relevant features of the cloud are that personal data is stored with third parties (who may then store it with other third parties, accessed online and stored in shared/virtualized environments (many sets of data, one physical machine).

    On top of that, servers are many times located in third countries, and given the ad hoc access and storage, it is not easy and sometimes impossible to know where the data actually is at a given point in time. For that reason, some European data protection authorities are of the view that cloud computing is inherently incompatible with current (EU) laws.

    While I agree that it comes down to organizations taking care of the data they are entrusted with, the cloud, hyped term or not, is more than just outsourcing the storage of digital data to a specific company, and therefore requires careful thought and, in my mind, differentiated treatment from a privacy law perspective.

    Breach notification with real fines may be part of that mix, and one will have to see how C-29 will take this into account.