The second problem is that the damages from a data breach can be breathtakingly large. Even if a business merely suspects a security breach, the costs begin to pile up. First, the task of discovering the nature of the breach and the extent of the damage will require technical and legal experts and their associated fees. If the investigation requires critical servers to be taken offline, then any lost revenues will add to the total. Further legal assistance will be required to evaluate the potential liability (especially if any sort of financial or healthcare data is involved), analyze mitigation strategies and navigate the patchwork of federal and state laws related to data privacy and security. Notification of customers and associated remedial measures, including arranging for data theft insurance for affected individuals, will also not come cheap. Finally, there is the unquantifiable reputational damage from the publicity surrounding such an event -- the affected business may need to undertake broad marketing campaigns to overcome the negative impressions and win back customers.
Faced with these two problems, lawyers asked to advise on a cloud-computing plan might be inclined to just say no rather than compromise their ability to get a good night's sleep. But balanced against these very real drawbacks are benefits that are just as real: the ease of use and lower cost afforded by cloud-based storage. Denied the option of saying no, the lawyers turn their attention to the cloud-computing contract and use it to assign responsibility and liability between the parties. In legal jargon, this task is known as "risk allocation."
Naturally, data security liability is often the subject of aggressive negotiations, especially in an environment where the background threat level is much higher than in the past. For obvious reasons, customers desire the best security possible for their data. Providers, for their part, will assume responsibility for their own failures but are keenly aware that hackers may penetrate even the best-defended system. The argument about risk allocation tends to become an even louder argument about the provider "insuring" its customers against the risk of a data breach. After the shouting dies down, the parties are generally able to reach agreement after evaluating the types of data involved and the security measures to be used. One security measure, encryption, seems to be more effective at pacifying the parties than any other.