Does cloud computing need malpractice safeguards?
With the value of consumer's online information increasing every year, do the old "you can't blame us" mentality of software and Internet-based services have to go?
Recent failures to protect consumer data stored on the Internet () point to an alarming gap between the value of that data and the care with which some vendors treat that data.
The truth is that cloud computing means that now, more than ever, IT operations is a profession that has a very real economic and quality-of-life effect on its consumers--in very many ways much like health care or the law. I think it's time we hold ourselves as individual and organizations to similar standards that we expect from doctors, lawyers, and law enforcement. Our ethics must reflect an understanding of the responsibility we are being granted by the rest of society.
The instances above are examples of companies failing to follow well-known professional protocols, or putting the needs of the business ahead of the needs of the client. Heck, look at just about any cloud operator's terms of service, and you see paragraph after paragraph of text that basically states, "If something goes wrong, you can't blame us."
I think its time to change this attitude. I see a couple of options, neither of which I love, to achieve this. I'd love to hear from some innovative thinkers on others.
Pass "cloud consumer protection" laws. This was something that was briefly explored after I wrote my "Cloud Computing Bill of Rights" post in August of 2008. However, the folks who got involved at that time weren't a) vendors or b) policymakers, so we didn't get far.
The biggest issue with using the law to enforce professional culpability is that it requires government bureaucracy for enforcement. That bureaucracy doesn't exist today, and would be expensive to create.
Allow for "cloud malpractice" suits. Oh, I know, I know. Most of you in the IT profession are squirming in your chairs right now, ready to jump down my throat about how medical malpractice has created as many problems as it has solved. Again, I don't love this option, either.
However, if Danger had lost arguably hundreds of thousands of dollars worth of data (or more) because it didn't tangibly fear the reprisals that would come if it lost it, it would be nice to see a big ol' sledgehammer of justice ready to rain down. I'm sorry, but failure to follow known professional practices is malpractice, and malpractice suits exist to punish those who forget that.
Let me reemphasize that I don't love either option, but I do know something has to change. The public is placing an extremely high level of trust on "cloud" services, and there has to be more than the simple threat of loss of revenue to reflect this. What do you think? Is it time to wield a big stick with respect to cloud service operations, or will the natural evolution of the market do the job for us?