Cybersecurity and Liability in a Big Data World

The interplay between big data and cloud computing is without doubt simultaneously promising, challenging and puzzling. The current technological landscape is not without paradoxes and risks, which under certain circumstances may raise liability issues for market operators. In this article we illustrate the several challenges in terms of security and resilience that market operators face since overcoming those challenges is of strategic importance for businesses wishing to be deemed privacy-respectful and reliable market actors. After a brief overview of the potentialities and drawbacks deriving from the combination of big data and cloud computing, this paper illustrates the challenges and the obligations imposed by the European institutions on providers processing personal data – pursuant to the General Data Protection Regulation – and on providers of digital services and essential services – according to the NIS Directive. We also survey the European institution’s push towards the development and adoption of codes of conduct, standards and certificates, as well as its last proposal for a new Cybersecurity Act. We conclude by showing that, despite this articulate framework, big data and cloud service providers still leverage their strong bargaining power to use “contractual shield�? and escape liability.

which value is generated and extracted. 11 It is not just about the quantity of data, but also its increasing variety -in terms of format, nature and sources -and processing speed, as well as its potential for effective predictions and often surprising insights. "We are on the cusp of a 'Big Data' Revolution" 12 which is just the latest stage in the wider information revolution leading to a greater scale of change at a greater speed. In the era of big data, every second, massive quantities of data are produced by and about people, devices and their interaction, ranging from purchase history and social media behaviour to phone logs, from health records to genetic sequences. On the basis of big data, algorithms work as "somewhat a modern myth", 13 competing to become part of our daily lives and homes, even able to write "symphonies as moving as those composed by Beethoven". 14 Indeed, big data could also be defined in terms of the great societal impact it could have, as referring "to things one can do at a large scale that cannot be done at a smaller one, to extract new insights or create new forms of value, in ways that change markets, organizations, the relationship between citizens and governments, and more". 15 In the context of the collection of increasing complex volumes of (big) data and its automated analysis, for algorithms to extract large-scale patterns in human behavior and reach sophisticated conclusions, it is necessary to rely on a flexible and scalable infrastructure: cloud computing. 16 Cloud computing certainly has the potential to yield significant benefits, by offering -upon request -continuous and convenient access from anywhere to a pool of resources in data centres equipped with increasingly high computational capacity. 17 More specifically, cloud computing operation (and success) is based on five characteristics: (i) broad network access by a variety of devices and workstations worldwide; (ii) on-demand selfservice, whereby users can enjoy cloud computing resources whenever they so request through a web-based selfservice portal and without the need for human interaction; (iii) payment measured on use; (iv) resource pooling, whereby multiple users are served via the same physical resources while data remains securely separated on the logical level; and (v) rapid elasticity which ensures that the user always has the exact capacity needed at any given time 18 . 11 European Data Protection Supervisor (EDPS), "Meeting the challenges of big data. A call for transparency, user control, data protection by design and accountability", Opinion 7/2015, 19 November 2015, https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2 015/15-11-19_Big_Data_EN.pdf: 5. 12 Richards M. Neil,Jonathan H. King,op.cit.,393. 13 Solon Barocas, Sophie Hood, Malte Ziewitz, "Governing Algorithms: A Provocation Piece", 29 March 2013, http://governingalgorithms.org/resources/provocation-piece/. 14 Ibid., referring to Christopher Steiner, "Automate This: How Algorithms Came to Rule Our World", Penguin (2012). 15 Richards M. Neil,Jonathan H. King,op.cit.,394,referring to Viktor Mayer-Schonberger, Kenneth Cukier, "Big Data: A Revolution That Will Transform How We Live, Work and Think", Houghton Mifflin Harcourt (2013). 16 John Gantz, David Reinsel, "Extracting Value from Chaos", IDC (2011), https://uk.emc.com/collateral/analyst-reports/idcextracting-value-from-chaos-ar.pdf. 17 Nicole Lazar, "The big picture: Big Data Hits the Big Time", Chance 25 (2012): [47][48][49]. See also Lee Badger, Tim Grance, Robert Patt-Corner, Jeff Voas, "Cloud Computing Synopsis and Recommendations. Recommendations of the National Institute of Standards and Technology", NIST (2012). 18 Edwin Schoutem, "Cloud computing defined: Characteristics & service levels", IBM, 31 January 2014, https://www.ibm.com/blogs/cloud-computing/2014/01/31/cloud-computing-defined-characteristics-service-levels/. Accordingly, at European Union level a cloud computing service is defined as "a digital service that enables access to a scalable and elastic pool of shareable computing resources". 19 In this regard, to use the words of the European legislator, "the term 'scalable' refers to computing resources that are flexibly allocated by the cloud service provider, irrespective of the geographical location of the resources, in order to handle fluctuations in demand. The term 'elastic pool' is used to describe those computing resources that are provisioned and released according to demand in order to rapidly increase and decrease resources available depending on workload. The term 'shareable' is used to describe those computing resources that are provided to multiple users who share a common access to the service, but where the processing is carried out separately for each user, although the service is provided from the same electronic equipment". 20 Depending on the deployment model, cloud can be structured as: (i) private, when the service is for the exclusive use of a user; (ii) public, when open use by the general public is allowed, and (iii) hybrid, when a mix of both applies.
In order to provide cloud services to users -be they consumers or businesses -, a provider (hereinafter "cloud service provider" or "CSP") deals with: (i) the implementation of the services, (ii) the abstraction of resources, (iii) the provision of physical resources, (iv) the management of services, and (v) compliance with security and privacy obligations. 21 Pursuant to a different -but complementary -criterion, cloud services can also be distinguished on the basis of the service model: while Infrastructure as a Service (IaaS) offers processing and storage capacity to users accessing directly from the Internet, as well as the ability to access, monitor, and manage remote datacentre infrastructures (e.g., Amazon Web Services, and Microsoft Azure), Platform as a Service (PaaS) enables users to develop, test, and deploy applications easily through a self-service portal and other instruments provided by the CSP, without the need to install any program onto their computers (such as Google Apps Premier, and Google Docs), and Software as a Service (SaaS), where a software -which is centrally hosted -is licensed to users on a subscription basis (e.g., Slack, Dropbox and Concur).
Against this backdrop, we briefly overview the potentialities and drawbacks deriving from the combination of big data and cloud computing, to then focus on security and resilience as being of fundamental strategic importance for businesses wishing to be deemed privacy-respectful and reliable market actors. Although the European legislator imposes increasingly strict obligations on providers processing personal data -pursuant to General Data Protection Regulation 22 -and providers of digital services and essential services -according to the NIS Directive -, encourages 19 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, OJ L 194, 19.7.2016, 1-30 ("NIS Directive"), Article 4, no. 19. 20 NIS Directive, Recital 17. 21 "The implementation of the services" consists in the provision of one of the service models, while "the abstraction of resources" entails the provision of interfaces for interaction, "the provision of physical resources" relates to hardware., and "service management" includes the provision of business support, as well as portability and interoperability functions. Lastly, "compliance with security and privacy obligations" depends on the requirements set under the relevant legal system. On this, Ali Gholami, Erwin Laure, "Big data security and privacy issues in the cloud", International their participation in the development of codes of conduct, standards and certificates, and proposes a new Cybersecurity Act, 23 big data and cloud service providers leverage their strong bargaining power to use "contractual shield" and escape liability.

Risks and opportunities at the intersection between big data and cloud computing
Debates around emerging technologies are often heated. Besides the discussion on the nature of technology -good, bad or neutral -its interaction with the social ecology is such that "technical developments frequently have environmental, social, and human consequences that go far beyond the immediate purposes of the technical devices and practices themselves." 24 For instance, "like other socio-technical phenomena, Big Data triggers both utopian and dystopian rhetoric." On one hand, Big Data is a powerful tool to address various societal ills, offering the potential of new insights into areas as diverse as cancer research, terrorism, and climate change. On the other hand, Big Data is also seen as a troubling manifestation of Big Brother, enabling invasions of privacy, decreased civil freedoms, and increased state and corporate control. 25 As a matter of fact, potentials and risks related to big data and cloud computing are probably only partially known and further implications will emerge over time.
As for the benefits, it is not just about the reduced costs deriving from the use of third-party infrastructures for storing and processing data: according to the enthusiasts, big data is of fundamental importance in preserving and managing valuable resources, curing lethal diseases, and making life safer and more efficient. Those who believe in the "quantified self" welcome tools to measure life and improve sleep, lose weight, be more fit and so on. 26 It is particularly promising that, through big data, it is now possible to establish new correlations between different datasets, so as to infer additional information, predict behaviours and evaluate the probability that a given event will occur. 27 This is particularly useful for businesses, given that the data collected from users -be they actual or prospective clients -is used to better understand their preferences and behaviour, predict purchases and better direct marketing efforts. 28 Not surprisingly, tailored services are increasingly being developed and targeted advertising has become common practice among businesses. Aggregation, use and reuse of data are now an essential part of 23 Proposal for a Regulation of the European Parliament and of the Council on ENISA, the "European Union Agency for Cybersecurity", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification, 29 May 2018, 9350/18 (''Cybersecurity Act''). many business models, to the point that data has been labeled as the "oil" of the 21st century. 29 Accordingly, it is not unexpected that the cloud computing market is projected to reach $411 billion by 2020. 30 At the same time, big data raises numerous risks that are, at least initially, well exemplified in the "three paradoxes" identified by Richards and King. 31 Firstly, it should be noted that big data concerns all kinds of private information, while the systems and techniques used for processing are generally under legal and commercial secrecy. This is known as the "transparency paradox". Secondly, it is likely that the great benefits potentially deriving from big data can only be achieved at the expense of individual and collective identity, i.e., the "identity paradox". Thirdly, while big data is welcomed as a tool to transform society, its tendency to concentrate power in the hands of a few governments and large companies, to the detriment of individuals, should not be neglected. This is the "power paradox".
In addition, there are a number of concerns surrounding the possible impact of big data over the rights and freedoms of individuals, especially the right to privacy and data protection. So as not to be seen as incompatible with the fundamental values and rights within a society, technological advancements should take place in a way that respects fundamental rights. 32 Instead, new business models based on the commercial exploitation of big data, by making massive collections, combination, transfer and reuse of personal data for a number of purposes, trigger privacy concerns. In such a context, where the volume of data keeps growing exponentially and information is increasingly a shared resource, the protection of personal data becomes at the same time a more pressing need and a more difficult objective to achieve. Discrimination, exclusion and loss of control over data are only some of the risks that may result from the de-anonymization of certain categories of data, from browsing activity to health data, from GPS coordinates position to political beliefs. 33 Cloud computing services, however beneficial and promising for the future, are deemed to deprive users of control over data, processes and policies. 34 It follows that CSPs hosting large amounts of data, including sensitive data, are required to implement organisational and technical measures to address any possible flaws in the protection system. Such security measures are constantly evolving, just as cloud computing services are evolving. 35 There cannot be effective user privacy protection without proper efforts to continuously guarantee security and resilience.

3.
Security and resilience: the real challenges for cloud service providers 29 Perry Rotella, "Is Data The New Oil?", Forbes (2012), https://www.forbes.com/sites/perryrotella/2012/04/02/is-data-thenew-oil/#77bbfe6f7db3. A different perspective in Bernard Marr, "Here's Why Data Is Not The New Oil", Forbes (2018), https://www.forbes.com/sites/bernardmarr/2018/03/05/heres-why-data-is-not-the-new-oil/#41e9d02a3aa9. European institutions have realized the economic potential of big data and now intend to create a data economy through public-private partnerships that could make Europe a leader in the global market (https://ec.europa.eu/digital-single-market/en/news/big-datavalue-public-private-partnership) and the Horizon 2020 strategy (https://ec.europa.eu/programmes/horizon2020/en/whathorizon-2020). 30 Louis Columbus, "Cloud Computing Market Projected to Reach $411B By 2020", Forbes (2017), https://www.forbes.com/sites/louiscolumbus/2017/10/18/cloud-computing-market-projected-to-reach-411b-by-2020/#6c64eb9278f2 31 Richards M. Neil,Jonathan H. King,op.cit.,42. 32 European Data Protection Supervisor (EDPS), "Meeting the challenges of big data", op.cit. 33 European Commission, "The EU data protection reform and big data factsheet" (2016), http://ec.europa.eu/justice/dataprotection/files/data-protection-bi g-data_factsheet_web_en.pdf. 34 Siani Pearson, Privacy, security and trust in cloud computing, in Siani Pearson, George Yee (eds.), "Privacy and security for cloud computing, computer communications and networks", Springer (2013) In the information society, 36 where users pour their lives onto the network and businesses increasingly rely on online services for their daily activities, protecting data means firstly ensuring its security throughout its value cycle. Data security in turn involves guaranteeing an adequate degree of protection for resources, achieved through the implementation of a comprehensive procedure based on a continuous cycle of assessment and re-evaluation of risks and the consequent implementation of adequate organisational and technical measures that ensure persistent data protection. This entails, on the one hand, the maintenance of integrity, confidentiality and availability of dataregardless of the means whereby data is stored, processed or transmitted -and, on the other hand, effectively counteracting any threat, whether internal or external, accidental or intentional.
In other words, security is not just an end result, but a process, which requires constant and simultaneous compliance with the three following requirements (also known by the acronym CIA): (i) confidentiality, i.e., protection against unauthorised access and disclosure; (ii) integrity, i.e., protection against undue alterations and deletions that would make the dataset inaccurate and unreliable; and (iii) availability, i.e., the possibility for users to access and use the data upon request and with adequate response time.
Since the dawn of the Internet, compliance with these requirements has been endangered by the initiatives of hackers or crackers, who intend to exploit system vulnerabilities in software, hardware or process, and to cause the destruction of resources and the creation of damage for users. 37 In order to obtain personal information -to be sold, for instance, on the black market -cybercriminals constantly look for vulnerabilities and adapt their tactics to cope with new security measures. The incidence and severity of cyber threats is increasing: for instance, a new specimen of malware seems to be developed every second. The companies most at risk of being breached are those dealing with personally identifiable information (PII), together with payment card industry information (PCI) and protected health information (PHI). 38 Cloud storage -like any other digital environment -is vulnerable to "traditional" threats, such as malware, denial of services and ransomwares, even in the most recent version of crypto-ransomware. Given the unique technological architecture of the cloud, as well as its operating models, further risks emerge at the following levels: plants (physical security), infrastructure network (network security), information systems (system security) and applications (application security).
Cloud-related risks have been mapped by the European Network and Information Security Agency (ENISA) 39 pursuant to a risk-based approach (i.e., taking into account the probability and impact of any given threat). A distinction is possible between (i) policy and organisational risks, which may lead to, for instance, lock-in, loss of governance over security aspects, supply chain failures, and social engineering attacks; (ii) technical risks, relating, 36 The concept of "information society" was theorized for the first time by Daniel Bell, "The Coming of Post-Industrial Society: a Venture in Social Forecasting", Reissue (1973). For an overview of the interpretations and theories related to this concept, please refer to Frank Webster, "Theories of the information society", Routledge (2014). 37 P.W. Singer, Allan Friedman, "Cybersecurity and Cyberwar: What Everyone Needs to Know", Oxford University Press for instance, to under-or over-provisioning, interception of data in transit, failure to isolate data belonging to different users, ineffective deletion of data, and loss of backups; and (iii) legal risks, e.g., in the event that law enforcement authorities ask for the cooperation of CSPs in investigations and judicial proceedings. 40 One of the most challenging aspects of cloud computing is the geographical dislocation of its systems. Firstly, this determines the inability to identify the exact location of data at any given time. Although this may be of little concern for users in the context of the normal use of cloud services, it becomes particularly important in the event of security breaches, when the recovery of data is dependent on the localisation of the data. Secondly, the location of the data is a fundamental criterion for determining the applicable law. Data stored in data centres located in multiple jurisdictions may trigger the applicability of multiple national laws -which may not always be perfectly compatible. 41 Against this backdrop, security -as described above in terms of integrity, confidentiality and availability -should be pursued through organisational and technical measures, holistically and throughout the data value cycle, i.e., the phases through which data is transformed to finally lead to innovation: (i) datification and data collection, which occur by digitalisation and by monitoring even (offline) global activities via sensors; (ii) the creation of big data, i.e., a large pool of data with no inherent meaning or structure until processed via data analytics; (iii) data analytics, intended as a set of techniques, software and skills aimed at extracting information from data; (iv) the creation of a knowledge base; and (v) data-driven decision making. 42 Similarly, security shall be pursued at every stage of the product lifecycle -from development to usage until endlife end-of-life? -insofar as such products entail the collection and generation of data. This is particularly relevant in relation to the Internet of Things (e.g., smart home devices, 43 remote medical care tools for smart hospitals, 44 smart cars, 45 and Intelligent Public Transport systems 46 ). But great efforts have also been dedicated to cloud computing, with ENISA launching the Cloud Security and Resilience Expert Group in 2013 and issuing a number of reports on the matter. 47 At the organisational level, governance obligations include the implementation of security policies and procedures, proper training and management of personnel, periodic risk assessments and regular audit programs. Technical measures should be implemented to address each security issue -namely integrity of the devices collecting data, source validation, infrastructure security, secure data management, platform and application software security, supply chain security, and interoperability of applications -through access control and authentication, encryption, source filtering, monitoring and logging, security testing procedures and audits, as well as compliance with standards and certifications mechanisms. 48 Overall, it has been observed that "because of the constant innovations that characterize the digital sector and to respond to them in an appropriate manner, any cyber security strategy must be accompanied by a foresight exercise intended to anticipate emerging technological, cultural and criminal trends." 49 However, despite numerous and sophisticated measures, the total elimination of risks connected to big data and cloud computing is difficult to achieve as "no data is totally safe". 50 In such a complex scenario where security cannot be guaranteed yet must be pursued -thereby becoming one of the most critical factors for any CSP -it is the concept of resilience to digital threat that provides the means to guaranteeing a safe ecosystem.
Resilience, a notion arising from the convergence of the notions of cyber security and business continuity, is "the ability of an organization to anticipate, prepare, respond and adapt actively to events, whether they are gradual or sudden changes, so as to ensure their survival". 51 A CSP, therefore, after adequately respecting the four pillars on which each cyber-resilience structure is based, 52 must be able to promptly deal with any cyber-attacks proactively, dynamically and efficiently, to safeguard the integrity, confidentiality and availability of data, as well as ensuring Giuseppe Saccardi, "Cyber security e resilienza: come gestire il rischio", Tom's Hardware (2016), https://www.tomshw.it/cyber-security-resilienza-come-gestire-rischio-74808. 51 Ibid. Similarly, the BS 65000 standard refers to "organisational resilience" as: "the ability to anticipate, prepare for, respond and adapt to events -both sudden shocks and gradual change. That means being adaptable, competitive, agile and robust". BS 65000, Guidance for Organizational Resilience, The British Standards Institution, 2014, 1. 52 According to the National Association of Risk Managers and Corporate Insurance Managers (ANRA), the four pillars of a cyber-resilience strategy are: (1) preparation, i.e., identifying the fundamental assets of the company, and protecting them depending on the different levels of risk, so as to integrate risk management into the company structure; (2) protection, which includes staff education and training, audits and the implementation of appropriate crisis handling procedures; (3) analysis, i.e., continuous monitoring of malfunctioning and threats; (4)  cybersecurity solutions, resilience is not just about architecture and organisation, but also a matter of people and processes. 54

Security obligations under the NIS Directive, the GDPR and the Proposed Cybersecurity Act
As with any other technological advancements, the development of big data and cloud computing has largely occurred in a regulatory vacuum. This was the case even within the European Union initially, though here, over time, multiple security requirements have been introduced by different pieces of European legislation sharing a common goal: the creation of a secure, trustworthy and thriving Digital Single Market. 55 While the EIDAS Regulation imposed security obligations in relation to electronic identification means and trust services only, 56 it was in 2016 that the European legislator addressed information and network security through broader-in-scope legal instruments: the GDPR to protect the security of personal data as strictly related to its fair, lawful, and transparent processing and its free movement, 57 and the NIS Directive to promote a high common level of security of network and information systems within the Union so as to improve the functioning of the internal market. 58 CSPs and any big data service providers should duly take into account the significant symmetries of the GDPR and the NIS Directive, which -among other things -share a similar definition of network and information security, such as the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems. 59 Similarly, these two pieces of legislation deem security to be essential to the achievement of their goals, which include the creation of trust and confidence, the establishment of a trustworthy level playing field and the development of the internal market. 60 However, while the GDPR applies to the extent that CSPs host personal data, 61 either as data controllers or data processors, 62 the NIS Directive specifically includes CSPs within its scope of application as "providers of digital  44. 61 Pursuant to GDPR, Art. 4, no. 1, "'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person." 62 According to the definitions provided under Art. 4, no. 7 and 8, "'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data", while "'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller." services", together with online marketplaces and online search engines. 63 In addition, the latter leaves it to digital services providers to self-assess whether they are targeted by the online security obligations set by the directive, which, in contrast, are mandatory for providers of "essential services", i.e. providers which are typically engaged in sectors such as energy, transport, banking, stock exchange, healthcare, utilities, and digital infrastructure. 64 Similarly, big data service providers may fall within the scope of the GDPR and the NIS Directive depending on the nature of data processed, the type of service provided, and the sector in which they operate.
Besides any transposing national laws, 65 providers should adopt "appropriate", "adequate" and "proportionate" measures, both organisational and technical in nature, on the basis of a culture of risk management, involving risk assessment and the implementation of security measures commensurate with the degree of risk. 66 In addition, "the state of the art and the costs of implementation, as well as the nature, purpose, context and purpose of processing" are crucial in determining the level of security adequate to minimise the risk. 67 Accordingly, effective measures may include pseudonymisation and encryption of personal data, 68 accurate selection of third-party providers to which processing is outsourced, 69 as well as regularly testing, assessing and evaluating the effectiveness of technical and organisational measures, 70 to be updated in case of changed circumstances. 71 Moreover, procedures should be introduced by each provider to ensure effective incident handling and resilience of network and information systems, 72 but also compliance with the notification requirements prescribed by law in the event of security incidents that endanger the continuity or provision of essential services or digital services, 73 and in case of breach of personal data. 74 The accountability principle should inspire any CSPs, 75 which should also follow best practices, 76  This mix of hard and soft law that providers are supposed to follow is the result of the variety and complexity of existing technologies, which, combined with the rapid pace of their evolution, make it impracticable for the legislator to specify in detail the necessary technical measures to implement in any given case. Besides pieces of legislation such as the GDPR and the NIS directive, codes of conduct, certification mechanisms and standards elaborated by private subjects are not only strongly encouraged but also needed. 80 In addition to the instruments above, as part of the so-called "Cybersecurity package" 81 the European Commission has adopted a new proposal for a Cybersecurity Act in order to establish "a high level of cybersecurity, cyber resilience and trust within the Union with a view to ensuring the proper functioning of the internal market". 82 The proposed Regulation defines cybersecurity as encompassing "all activities necessary to protect network and information systems, their users, and affected persons from cyber threats" 83 and it aims at (i) strengthening the role of ENISA -that should act as a reference point of advice and expertise on cybersecurity for Union institutions, agencies and bodies, 84 and (ii) establishing a European cybersecurity certification framework for ICT products and services. This is based on the awareness that "network and information systems and telecommunications networks and services play a vital role for society and have become the backbone of economic growth, 85 yet, at the same time, increased digitisation and connectivity generate a higher number of cybersecurity risks, which in turn make society at large more vulnerable to cyber threats, and exacerbate dangers faced by individuals. 86

Contractual shields to providers' liability
When devising and launching technologically increasingly sophisticated products and services, providers find themselves confronted with increasingly complex risks. From a legal perspective, these risks translate into terms of responsibility. Accordingly, a business should implement well-considered information security following at least a twofold reasoning: protecting corporate assets (including those having a strategic relevance, such as intellectual property and new product information) and business reputation, which could be harmed by the adverse publicity caused by a security breach; and establishing diligence by documenting reasonable corporate management and minimizing/minimising potential liability. 87 In fact, given that companies are now dependent on data and information technology for carrying out their businesses operations, cybercrimes causing their data to be lost or distorted may determine business interruptions, the inability to meet contractual obligations with counterparties, and the risk of both class action lawsuits being filed by individuals damaged by the data breach, and derivative lawsuits filed by the company's shareholders against the board of directors. In addition, cybercriminals could extort companies or trade on insider information. 88 These liability risks turn into burdensome costs; indeed, data security breaches are deemed to possibly account for over $400 billion in losses annually. 89 Moreover, in the case of data breaches the safe harbour set by Article 14 of the E-Commerce Directive does not apply; even though this Article does shield cloud service providers and exempts them -and more generally any hosting providers -from liability, it only refers to cases in which illegal information is stored by users of a service and the service provider does not have actual knowledge of, or control over, the data processed, stored or transmitted.
The safe harbour, though, does not cover big data and cloud service providers with regard to security obligations: it remains the providers' primary responsibility to ensure data confidentiality, integrity and availability, as well as resilience. And no exemption is yet envisaged in the current legal framework.
In light of this, besides internally applying mitigation measures, companies include security-related safeguards in contracts entered into with either business partners or customers, or both, including confidentiality clauses, detailed security obligations, warranties, indemnity provisions, audit rights, and limitations of liability. In fact, entrusting big data to a business partner always requires a careful due diligence activity and to adequately reflect any resulting issue in the agreement between the parties. Outsourcing certain activities to third parties may be risky and related security risks are partly mitigated through due diligence, contractual protections and an information security requirements proof. 90 This is why, with specific regard to CSPs, Service Level Agreements (SLAs) -which constitute, together with the , https://www.pwc.com/gx/en/insurance/publications/assets/reaping-dividends-cyber-resilience.pdf: 4. 90 For more details about this see Michael R. Overly, "Information security in vendor and business partner relationships", in James R. Kalyvas,Michael R. Overly,op.cit.,21 ff. 91 Typically, SLAs address (i) service performance -in terms of availability, response times, capacity parameters, etc. -and assistance service; (ii) data management, including backup and portability procedures; and (iii) data protection, in accordance with the requirement of the applicable law. On this Shyam S. Wagle, "Cloud Computing Contracts. Regulatory Issues and Cloud Providers' Offer: An Analysis", IFIP (2016) http://www.ifip-summerschool.org/wp-content/uploads/2016/08/ IFIP-SC-2016_pre_paper_11.pdf: 6. voluntarily assume, on a negotiation basis, the obligation to guarantee adequate standards of security in the provision of their services, with the ultimate goal of inspiring trust among users and strengthening a reputation as reliable market operators. In this way, any breach also becomes a matter of contractual liability. SLAs are often made available on the CSPs' website, which can be amended by the latter, generally placing on users the onus of monitoring any change. In addition, remedies for breach usually consist in service credits. 92 In addition, when personal data is involved, a data processing agreement must also be entered into by the parties, pursuant to article 28 of the GDPR, to provide "sufficient guarantees" that the requirements of the GDPR will be met and the rights of data subjects protected.
It has, however, been observed that despite the above agreements CSPs do not always provide clear and complete security-related information, especially in the context of contractual relations with consumers. 93 From a comparative analysis of the terms and conditions adopted by the main CSPs, many critical aspects emerge, 94 which may derive from the unequal bargaining force of the parties. In fact, cloud contracts are often considered a "take it or leave it" option unilaterally set by CSPs, which are hardly inclined to change their standard terms 95 on the assumption that "in trying to remove or reduce liability exclusions and limitations or increase service levels for commoditized services, customers want to have their cake and eat it too -seeking the cheapest services while requesting the highest levels of assurances." 96 At the same time, negotiating terms might not be advisable for a pragmatic reason: compliance with all users' separate security policies -which may impose different, even conflicting, requirements -is deemed to be difficult in a standardised infrastructure. 97 costly in terms of adverse publicity. The significant bargaining power most CSPs enjoy allows them to impose their contractual terms upon customers and business partners which lack equal strength.
In other words, on the one hand CSPs help in addressing the existing "jungle of standards" 108 , cooperating with the European Commission, 109 on the other hand they use cloud contracts as a shield from liability.
From a different perspective, mindful of the ever-evolving nature of cyber threats, CSPs and, more generally, companies can conclude cyber-liability insurance to outsource the risks relating to cybersecurity compliance to the insurance industry. A step further in this direction could be taken by governments themselves, by making cyberliability insurance compulsory -at least for companies meeting certain requirements. This would shift the obligation to determine compliance requirements from the legislator -whose action is generally also influenced by the political climate -to insurance companies -which are best placed to deal with highly technical and rapidly changing issues.
Insurers would have a monetary incentive to adopt state-of-the-art and effective cybersecurity standards and this would lead not only to risk reduction, but also to the mitigation of damages and victims made whole. In other words, both companies at risk and the public at large would benefit from the implementation of a compulsory cyberinsurance scheme. 110 108 In September 2012, the European Commission described cloud computing as a fundamental tool for progress for citizens, businesses and public institutions, as well as for the whole of Europe; at the same time, it identified a "jungle of standards" as the main obstacle to the affirmation of cloud computing and therefore as a barrier to economic development. European Commission, "Unleashing the Potential of Cloud Computing in Europe", COM (2012) 529 final, 27 September 2012. 109 For an interesting overview and analysis of the initiatives undertaken by the European Commission, as well as numerous public and private organizations, in the field of cloud computing and standard processing, please refer to Niamh Christina Gleeson, Ian Walden, "'It's a jungle out there'? Cloud computing, standards and the law", European Journal of Law and Technology 5 (2014). 110 Minhquang N. Trang, op.cit., 409 ff.