Problem
Who is liable for a data breach in a cloud computing environment? Is it the organization that contracted with the cloud provider to use the provider's resources, or is it the provider itself? The current legal framework regarding data breaches is not well defined. Under most current laws, the data owners (the organization that has accumulated and is storing user data on the cloud) are responsible for data breaches, and thus must pay any fines or fees that are the result of legal action by its customers due to a data breach. The data holder (the cloud provider) under current law cannot be legally implicated or held responsible for a data breach; if a data breach occurs, the data holder (cloud provider) must notify the data owner (the organization) but it is not required to take additional steps. Is this appropriate? Should the data holder shoulder responsibility if it can be proven that they were at least partially at fault? Or should it be the responsibility of the data owner to determine the security of the cloud system?