4 hours 51 minutes

Video Transcription

that said, This is probably my favorite question we got. This did come from Mr Garcia, and it's How did the areas of cloud computing and cybersecurity overlap in particular when you're using cloud storage? Who's responsible for protecting the data? Who is liable for that data? Aziz, We kind of alluded to earlier in this video.
I love studying the law. I'm a huge advocate of sort of the cross section between cyber security
and the legal, the world of law, particularly privacy law. I think it's fascinating because it's we're trying to use an ancient system fundamentally, you know, the American legal system is the one I'm familiar with. It is based on the British legal system is basically you can trace it a straight line all the way back to the Magna Carta.
And we're trying to use this this ancient overall system to legislate for a brand new technology, something that really only started existing in the last couple of decades. And it's really fascinating for me watching sort of how these things interact. So I did some research on this one because the first, the basic question is how do they overlap?
Fundamentally, if you're a cloud provider and you do not provide security on your data. One, You're a terrible provider. Until you probably won't be a provider for very long.
It is. Fundamentally security exists at every single step of the I T life cycle, including even if you're using things like infrastructure is a service or platform is a service or whatever is a service, you have to have security in place in those areas.
So the easy answer, the question is, if you have if you are the data owner or the data handler, you must implement cyber security if you don't. If you don't have professionals who understand technology most from a cloud perspective and a security perspective, you're gonna have a bad day.
The slightly more complex answer and the one that I was really fascinated by is from it from a point of sort of the actual law who is ultimately responsible for protecting data.
So what? We've found what I found. I didn't want to research on this over the weekend. What I generally found is that American case law of individual American state laws hold the data owner responsible. So even if you're using cloud storage if that cloud suffers a data breach you is the company who theoretically owns that data
are ultimately responsible to your clients and customers.
You essentially, you are the one who could be sued in court. However, I really want to stress that's not been tested federally. And in fact, uh, we've got a case when we look here
wth e Michigan Supreme Court actually found that there are specific cases in which the general contractor is going to not necessarily be responsible for the negligence of the organization providing the subject. The, uh What's the word? I'm looking for the service that is actually at issue.
So you're gonna run into cases where even though you are the data owner and you're theoretically responsible for this,
you can make the argument that you met the requirements for avoiding negligence by choosing a cloud provider who is security conscious and has theoretically or was supposed to or claimed to have implemented the appropriate security checks, the specific areas where this kind of gets interesting and fuzzy.
The A B A, which the American Bar Association, which govern you know, it's the,
industry body four lawyers actually has has started allowing cloud storage for storing client data. So even though that's supposed to be something that is close hold by the by the law firm, they're actually allowing for cloud storage for that.
Alternatively, you have HIPPA, which is for medical data, really, really Extensive. Legislation governing the privacy and security of medical data have found that the liability in hip related cases actually falls with the data holder, the company whose storing that data,
however fundamentally hippo also requires that you implement certain physical controls to whatever
system is storing the data. So there's this really interesting area where, in a case of a breach of hip a data, the data holding company, the Cloud Computing Company, is liable for that data being lost. But the original company that contract to them is probably liable for violating HIPPA in contracting to them in the first place.
So it's it's really cool, because this hasn't really gotten a matter of first impression by federal courts yet,
And so we're still kind of in a case where the answer to that question is legitimately,
we'll find out when someone takes it to the ninth Circuit. It's a really, really cool to me. It's a really, really cool area of the law on area of cyber security. But the short answer is
implement security everywhere because no matter where you exist in that chain, there's a good chance you're going to get sued. If you lose that data
so and again, reemphasizing. I am not a lawyer. This is not legal advice. Just a cool little research project on the side.
All right.

Up Next

Introduction to IT & Cybersecurity

In this FREE IT and cybersecurity training for beginners, you will learn about the four primary disciplines of information technology (IT) and cybersecurity. This introduction to IT course is designed to help you decide which career path is right for you.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor