I recently read an article written by James Urquhart entitled “Does cloud computing require malpractice safeguards?” in which he approaches the idea of imposing a mandated penalty for the failure of a provider to reasonably protect your data.
I had to ask myself a few questions:
- What would the potential laws be?
- Is it feasible to implement?
- What are the implications of implementing such a beast?
- What can you do?
In it James supplies two options:
- Pass “cloud consumer protection” laws. This was something that was briefly explored after I wrote my “Cloud Computing Bill of Rights” post in August of 2008. However, the folks who got involved at that time weren’t a) vendors or b) policymakers, so we didn’t get far.The biggest issue with using the law to enforce professional culpability is that it requires government bureaucracy for enforcement. That bureaucracy doesn’t exist today, and would be expensive to create.
- Allow for “cloud malpractice” suits. Oh, I know, I know. Most of you in the IT profession are squirming in your chairs right now, ready to jump down my throat about how medical malpractice has created as many problems as it has solved. Again, I don’t love this option, either.However, if Danger had lost arguably hundreds of thousands of dollars worth of data (or more) because it didn’t tangibly fear the reprisals that would come if it lost it, it would be nice to see a big ol’ sledgehammer of justice ready to rain down. I’m sorry, but failure to follow known professional practices is malpractice, and malpractice suits exist to punish those who forget that.
He does follow this up by stating that neither option is great.
Is it feasible?
Having a Cloud Computing code of conduct or a Cloud Computing Bill of Rights, that is administered by a working committee of some description, which is ascribed to by cloud computing providers would be a start, though there is little incentive for providers to do this. As James points out, getting something of this nature passed as a law takes a lot of political backing. Going through the steps to get it from the idea to a bill and eventually law is a long and ardous process (*) regardless of what country you live in.
Unless someone in the parliment is willing to push this agenda, or you have a bucket load of cash, it isn’t going to get anywhere.
A lot of the large cloud computing providers; Microsoft, Cisco, Google and Amazon, have multiple data centres scattered across the globe. How would the malpractice safeguards be universally applied, let alone enforced?
What can you do?
In this interim you are forced to hold your cloud computing provider to their SLAs. As pointed out in a previous post, ensure you know what you are getting when you sign that contract with regards to the level of protection the cloud computing provider is giving you. And if all else fails remember to vote with your feet. Providers will not get the message if you take it on the chin and continue to use their service.
(*) From what little research I’ve done on the matter.