Who is Responsible When a Cloud Security Data Breach Occurs?

The cloud makes access simple and enables forward-thinking approaches such as remote working. Yet this accessibility may leave the cloud vulnerable to data security breaches.

A study from early 2019 revealed that 72% of enterprises using cloud-based software were the targets of security threats. 40% of respondents admitted that at least one account connected with them had been compromised. These occurrences had taken place over the previous six months.

So when such cyber security breaches occur, who is responsible?

In this article, we’ll discuss data breach liability and explore data breach consequences. We’ll also explain how to prevent security breaches in cloud infrastructures.

Who does a cloud security data breach affect?

Generally, there are three parties involved in the use of the cloud:

  • The cloud service provider
  • The business utilising their service
  • The customers of that business

In the event of a data breach, those involved may be broken down into:

  • The data controller or owner
  • The data holder
  • The data subject

Usually, the data controller or owner is the business using the cloud, the holder is the cloud service and the subject is the customer.

Yet a breach may also result in the compromising of sensitive data relating to the organisation itself. This might include intellectual property or trade secrets. This would place the organisation in the role of data subject.

Often, the data owner is held liable for cloud security data breaches. However, depending on the circumstances and the evidence available, the data holder (the cloud service) may be considered responsible instead.

To avoid a breach, data owners should carefully vet cloud services before choosing to store data with them. They must also ensure that their own GDPR policies and procedures are watertight.

How might a cloud service data breach occur?

The term “data breach” refers to an unauthorized individual gaining access to sensitive personal information and data stored on the cloud. This may occur under many different circumstances, including:

  • Negligence (such as leaving an account logged in in a public area – made more likely by ease of remote access via the cloud)
  • The abuse of insecure APIs (Application Programming Interfaces) by hackers
  • Indiscriminately sharing files, passwords and other security details (management cannot easily track the sharing information on a cloud-based platform)
  • Human errors made by cloud engineers, reducing the security of files or exposing data

In the event of a breach, who may be held responsible? 

The storage and sharing of data is regulated by the ICO (Information Commissioner’s Office). It must follow GDPR legislation (General Data Protection Regulation).

Under GDPR, the data owner or controller must follow data protection legislation. They should also undertake risk assessments. They must ensure that the location in which they store data is secure and has suitable privacy measures. They are often required to vet data holders and processors, checking that there is no chance of a breach.

Data owners are held responsible for data security. For this reason, they are usually considered liable for breaches. Of course, the data owner may be able to argue that they did everything required of them to ensure the security of the data. They may also be able to provide clear evidence of negligence on the side of another party.

There may be proof that the data holder had compromised its own security by implementing a faulty update. A third party may prove to be liable – for example, the engineer whose tinkering left data exposed.

If a data owner took all necessary steps to prevent a breach and a hacker was still able to access their data, they may not be considered liable. This is rare though. When it comes to cloud computing security breaches, most examples reveal that those storing data in the cloud are the most at-risk.

Usually, investigators rule the data owner to be at fault even if the data holder failed to provide adequate security.

How can I avoid cloud security breaches?

Most companies now have data security policies and procedures in place. The mistake many make is that these approaches do not extend to the cloud.

Many organisations vet the security of partners, suppliers, contractors and other third parties. It is vital to take this approach with cloud services as well, and hire IT security professionals to put extra measures in place.

Passwords must be strong and you should ensure that you change them regularly. Where possible, there should be many secure barriers between the user and sensitive data.

Many companies avoid using the cloud despite its obvious benefits. They do so through concern about the perceived risks involved. With proper security and a diligent, informed approach, though, these risks could be heavily reduced.

What are the consequences of a cloud security data breach?

If your company is found to be liable for a breach of personal data, you may face significant penalties.

These may extend to €10 million or 2% of your organisation’s annual turnover for minor breaches – whichever is higher. For major breaches, you may be expected to pay €20 million or 4% of your turnover.

For this reason, it’s important to seek proper legal representation as soon as you learn of a breach. Your advisers will help you to collect information and report the breach to the ICO within the 72 hours required by law.

They will also help you to build a strong defence and argue that the negligence was on the part of the data holder, not your company. They may also be able to commute your penalty to a lesser one by proving that you made every effort to prevent a breach.


The solicitors at DPP GDPR understand the management of cloud data security breaches. We’ll provide data breach legislation advice and help you to understand your responsibilities and protect your data. Contact us today on 0333 200 5859.

Call now 0333 200 5859