From a business perspective, encryption theoretically reduces the value to third parties of any data compromised in a breach, thereby mitigating the associated cleanup costs. From a legal perspective, this reduced value lowers the risk to be allocated and shifts the focus to the encryption techniques to be used. As a bonus, encryption may provide data owners with a degree of control over the data that they otherwise would not have in cloud-computing environments. For example, document retention policies may be made more "cloud-compatible" with a combination of encrypted data and time-sensitive keys.
Of course, all technologies involve trade-offs. Encryption requires higher processor overhead at one or more levels of the storage chain (although Moore's Law should help with this). Customer-level encryption offers more control over the encryption techniques and key-handling procedures, but it may increase storage consumption requirements due to abandoned-data issues.
I will leave it to the experts to sort out the technical details regarding best practices, but my sense is that the standardization of cloud-based encryption will help resolve a number of operational and legal challenges facing providers and customers (subject to the lawyers identifying new issues created by its implementation).
It may even leave more lawyers with a full head of hair.
Brian Henchey is a partner in the corporate section of Baker Botts, representing clients in connection with cloud computing agreements, large-scale outsourcing transactions, technology licensing and other technology transactions. He no longer has a full head of hair.
Read more about cloud computing in Computerworld's Cloud Computing Topic Center.
