Citation: D. Kolevski, K. Michael, R. Abbas and M. Freeman, "Cloud Data Breach Disclosures: the Consumer and their Personally Identifiable Information (PII)?," 2021 IEEE Conference on Norbert Wiener in the 21st Century (21CW), Chennai, India, 2021, pp. 1-9, doi: 10.1109/21CW48944.2021.9532579.

Photo by Hazel Z on Unsplash

Abstract

The incidence of cloud computing data breaches across the world is increasing as retailers, financial institutions, health providers and businesses of all sizes rely on infrastructure, platform, software, and anything as a service (IaaS, PaaS, SaaS and XaaS respectively). As cloud provisioning requires the Internet for the realization of services, security has become paramount. Companies have adopted cloud services to allow for agility in response to growth, particularly of digital services, while reducing their overall costs and maintenance issues. At the same time, the personally identifiable information (PII) of hundreds of millions of end-users is now at risk of being hacked, through insecure cloud computing practices that lead to data breaches. In this article, we explore three cases of significant cloud computing data breaches: 2011 Sony PlayStation Network (PSN); 2014 eBay, Inc.; and 2014 Yahoo!. This paper employs a qualitative methodology, using mini case studies to demonstrate the significance of data breaches. While class action lawsuits by citizens have brought attention to potential matters of disclosure, the misuse of data, and identity fraud in the context of cloud computing, US courts continue to rule that the direct costs to the individual end-user are merely speculative and not provable. The role of consumer class action for data breaches in the cloud are presented in this article.

SECTION I.

Introduction

As cloud infrastructure, platforms and software provide businesses the ability to scale according to end-user demand, the motivation for hackers increases, as do the vectors of attack. While the consumer may lack the visibility and or technical knowledge of how a digital service actually works, businesses are now operating in an open environment that is much more vulnerable to breaches in security. The movement away from centralized systems to more distributed cloud systems means that nodes in a cloud computing network can now be scattered across different physical locations, despite that the operation of the cloud is governed in the originating jurisdiction. For the greater part, a customer using an online service is oblivious to the inner workings of an end-to-end cloud computing service offering and value chain. They are not exposed to the technical aspects of the service, and may not be aware of the security implications for a distributed cloud network on which they rely for the delivery of a service. Rather, they are primarily concerned with whether or not they can make a given transaction online in a timely manner.

Over the last decade there have been numerous high-profile hacks that have acted to raise awareness of the vulnerabilities of cloud computing configurations. To date, cloud computing service providers have been rarely directly implicated in mass-scale data breaches. Businesses, have had to take responsibility for disclosures of personally identifiable information (PII), despite that the hack has occurred on technology that is leased by the business and not owned by the business. The finer details of service level agreements (SLA) are now more important than ever in outsourced operations. A SLA is a legally binding contract between a business customer and a service provider that formalizes a minimum level of expected service [1]. When a SLA contract is being drafted between two parties, noting that the service provider is an external supplier to a business, metrics are determined against which a quality service can be measured. These metrics might include: service availability, security, and business results, among other factors. If a cloud computing service provider does not maintain their expected thresholds of service, then penalties may be applied [2]. In this paper, we focus on data breaches as they pertain to security vulnerabilities, exploring how a cloud computing provider might be held accountable for infrastructure, platforms or software that succumb, for example, to information security penetration.

The real question that remains unaddressed is what are the rights of consumers when massive data breaches take place? It is one thing for a business and its supplier to determine how penalties will be applied one commercial party to another, depending on who was at fault for the disclosure, but who will look out for the consumer? What rights might consumers have to seek damages when, for example, a security hack occurs and their digital property has been compromised? In this paper we address the following research question:

  1. What kind of recourse does a consumer have when their personal information has been disclosed, even if a hacker never intends to use the data for fraudulent purposes?



To elucidate R1 further, SLAs might well protect an individual business but what sort of legally binding agreements protect the business' customers? Are these left open to consumer protection laws? Or stated terms and conditions available from the business when an individual decides to subscribe to a given service? And how might consumers ultimately seek the same kind of SLA-like recompense? The stakes are continuing to rise as more and more sensitive data is being collected and stored, such as biometric fingerprints among other unique bodily characteristics [3].

In the next section, we describe the complex interplay between stakeholders in the cloud computing value chain to help shed light on the dynamics between the players during a data breach scenario. We also describe a variety of cloud computing models and cloud computing service offerings and present several examples of well-known data breaches that have been noted in peer-reviewed literature. This background provides the reader with a holistic view of the current state of play to try and deduce a way forward by acknowledging the roles and responsibilities of stakeholders during and after a data breach that will certainly affect more than just two commercial parties engaging in a buyer-supplier relationship. Advocacy for the consumer is important given it is the consumer's personal details that have been disclosed and possibly misused.

SECTION II.

Background

A. Cloud Computing Value Chains

In a cloud computing value chain [4], there are numerous individual actors that come together through a process of interaction to produce a valid service offering that is meaningful to a business entity or government agency. In particular, cloud computing services generally require organizations to offer or sell a digital product or service that has a direct benefit to individual end-users (i.e., consumers and/or citizens). Businesses, e.g. retailers, that adopt cloud computing services are considered “customers” in the business context, and their corresponding subscriber base by extension are “end-users”. When data breaches are announced in the media, it is often difficult to ascertain where the breach has occurred, what this means for the business customer, and in turn their respective end-users.

Figure 1 identifies a simplistic view of key stakeholders in any cloud data breach. These include:

  • Cloud providers: provide provisioning, storage and processing resources to small and medium businesses, large enterprises [5], and even government agencies, mainly in the form of infrastructure, platforms or software as a service. E.g., Amazon Web Services (AWS) and Microsoft Azure.

  • Cloud customers: purchase processing and storage requirements from cloud providers through an application interface [6]. These are usually but not always businesses or government agencies. Cloud customers acknowledge that their core competency is not information technology and seek to outsource accordingly, shifting technology requirements from a business' capital expenditure to an operational expenditure.

  • End-users: purchase goods and services from businesses that host their services in the cloud. For example, end-users who log on to transact on web service portals and provide personal and financial information, and geolocation identification to complete a given transaction [7], [8].

  • Courts: a judiciary is that branch of government which administers justice according to law, and includes courts, judges, magistrates. Thus, courts are indirect stakeholders of the cloud computing value chain, but are integral to proceedings after a data breach has occurred as they form part of the socio-technical-legal ecosystem [43], [44]. Courts provide a legal avenue for cloud stakeholders to debate and challenge data breach allegations [9].

Figure 1. A simplified view of cloud computing actors.



Considerations regarding who is representing the end-user in such cases are paramount. While we have not denoted the role of government agencies tasked with oversight for the data protection of its citizenry, this is implied. In this article, however, we are more concerned with the actions of consumers to have an active voice during and after a data breach, as a means to garner explicit visibility for their plight as potential victims of identity fraud, beyond mere disclosure. When a breach occurs, clearly there are externalities above and beyond a buyer-supplier relationship.



B. Infrastructure, Platforms and Software Under Attack

Data breaches directly affect the cloud provider and business customer, as they control and manage end-user data. This is evident in [10] who state that data breaches occur when there are weak security defences allowing hackers to penetrate the cloud provider or customer's portal and retrieve end-user data. Additionally, cloud computing services have four primary service delivery models, infrastructure, platform, software and anything as a service (IaaS, PaaS, SaaS and XaaS) [11]. These service delivery models are accompanied by four primary deployment models, private, public, hybrid and community models [12]. This becomes increasingly important when scrutinizing what data is available to a potential hacker, how a cloud configuration might be penetrated, and the security vector by which an attack occurs. Each cloud configuration has known vulnerabilities and weaknesses. For example, has the breach occurred in the unencrypted communication between two servers? Is the target of the hacker a distributed denial of service (DDoS) attack on a host server used to deliver an online shopping cart application? Or on the application itself that does not use two factor authentication? Is the cloud service wholly private or public? How vulnerable is the cloud set-up to insider attacks, that are purely human factors based? Each cloud computing service type and each model of deployment has its own sets of potential threat vulnerabilities. When it gets to disputes in the court, these technical details come to the fore in trying to deliver the right ruling, especially where there is a conflict between buyer-supplier in the context of a service level agreement. From the perspective of consumers, however, the issues are focused on what personal data has been compromised and the perceived or actual damage inflicted on them as individuals, as a result of the data breach. The quantification of a data breach in terms of “loss expectancy”, beyond acknowledging how many details were compromised (e.g. number of end-users and the actual data disclosed) still remains an open question. Trying to put an economic cost on the loss of someone's personal details is still very much an intangible [13].

C. Stakeholder Dynamics After a Data Breach

The real extent of complexity surrounding cloud computing service offerings, and corresponding data breaches is evident when one tries to discover the cause of a security-related outage, so that services can be restored to normal as soon as practicable. It can, in fact, be hours, days or even weeks, before a business is informed or determines they have been subject to a hack or an accidental data leakage. In turn, a consumer may well find out much later about a breach, when media reports on a given disclosure are released, and the breach becomes public knowledge. Depending on the size of the business and/or breach, consumers may well become informed after relevant government agencies are notified at the state or federal level, pertaining to privacy and/or data protection. In many countries around the world, e.g. Australia, mandatory data breach notification (MDBN) is a requirement [14] for medium to large enterprises. Businesses must notify affected individuals and the data protection agency (or equivalent) in that jurisdiction, when a data breach involving personal information is likely to result in serious harm [15]. Eventually consumers find out about security breaches as they relate to their personally identifiable information (PII) but it seems that end-users are almost always last to be informed that their sensitive data has been disclosed or stolen [16]. Sensitive data can be described as that data pertaining to genetic data, biometric data, or even health data, beyond one's identity-related data, such as their name or date of birth etc. Additionally, proving “serious harm” means that businesses can interpret levels of harm after an exposure and decide not to go public after a data breach, so their brand is not diminished in any way.

SECTION III.

Literature Review

A. High Profile Data Breaches

There are an increasing number of data breach cases that have progressed through courts. This may be due to (1) an increase in the number of online service offerings; (2) a higher incidence of successful attacks by hackers; (3) companies with substandard investment in security and poor security practices; (4) a greater number of organizations disclosing a data breach; and/or (5) stronger regulations that enforce penalties for large organizations that do not disclose a breach in a timely manner when they are first made aware of it. Below is a list of some of the most recent large-scale data breaches in the last 5 years, between 2016 and 2021, where tens of millions to hundreds of millions of records of end-users have been compromised in each event. This US-centric representative list alone, is substantial in its coverage of some of the biggest transnational companies in the world that store some of the most sensitive data (e.g. genetic, health, financial):

  • Adobe Systems, 2021, 152 million records, hacked

  • Airtel, 2021, 320 million records, poor security

  • Animal Jam, 2020, 46 million records, hacked

  • Anthem Inc, 2021, 80 million records, hacked

  • AOL, 2021, 92 million records, insider attack

  • Capital One, 2019, 106 million records, unsecured

  • CheckPeople, 2020, 56 million records, unknown cause

  • ElasticSearch, 2019, 108 million records, poor security

  • Equifax, 2017, 163 million records, poor security

  • Facebook, 2019, 540 million records, poor security

  • Facebook, 2019, 267 million records, poor security

  • First American, 2019, 885 million records, poor security

  • Friend Finder Networks, 2016, 412 million records, hack

  • Instagram, 2020, 200 million records, poor security

  • Marriot International, 2018, 500 million records, hack

  • Microsoft, 2019, 250 million records, misconfiguration

  • MongoDB, 2019, 275 million records, poor security

  • My Heritage, 2018, 92 million records, unknown cause

  • Quora, 2018, 100 million records, hack

  • Tetrad, 2020, 120 million records, poor security

  • Tik Tok, 2020, 42 million records, poor security

  • TrueCaller, 2019, 299 million records, unknown causes

  • Uber, 2017, 57 million records, hack

  • Under Armor, 2018, 150 million records, hack

  • US Postal Service, 2018, 60 million records, poor security

  • Wattpad, 2020, 270 million records, hack

  • Zynga, 2019, 173 million records, hack.



Data breaches can be as a result of: hacks, poor security practices, improper settings, accidental publication, insider attacks, and the source of some data breaches are still considered to be from an unknown cause. But most of the breaches presented above demonstrate the magnitude of disclosures to affect large numbers of end-users, representing a population count larger than that of an average country. It is not a far stretch of the imagination, to correlate that some end-users have been caught up in at least several disclosures, rendering different parts of their personally identifiable information available, e.g. financial, health and other data.

Some of the older data breach cases that occurred between 2007 and 2014, are notable because they were the earliest major data breaches that became public knowledge, and most have already played out in the US court system. These representative data breach events include:

  • TK/ TJ Maxx, 2007, 94 million records, hack [17]

  • Heartland, 2009, 130 million records, hack [18]

  • Sony PSN, 2011, 77 million records, hack [1]

  • Dropbox, 2012, 68 million records, hack [19]

  • Tumblr, 2013, 65 million records, hack [20]

  • Yahoo!, 2014, 500 million records, hack [21]

  • eBay, 2014, 145 million records, hack [22]



While newer data breach cases over the last 5 years might well seem more pertinent to be discussing in this article, it is the older cases that stand to teach us the big lessons, as some of these incidents played out in the courts over years. Data breaches might take effect instantaneously but their consequences linger for years to come, as individual stakeholders are embroiled in litigation. This is further amplified when one considers some of the largest companies have had multiple large-scale data breaches in a single calendar year, e.g. Facebook in 2019 had three, mainly attributed to AWS [23], accidental exposure [24], and poor security [25].

The vast majority of peer reviewed literature on major data breaches is published in law journals and privacy/security conferences, at least five years after the breach has occurred. These articles focus on aspects of privacy, data protection, de-identification [26], data security, risk management, cybersecurity insurance [27], damages, compensation, compliance, enforcement of laws [28], and a standard of care [21]. Articles generally focus on a single data breach event, or cover a thematic topic like insurance with sporadic examples from multiple cases.

Seminal studies like [29], [30] review the outcomes of several data breach cases, highlighting the limitations of US state and federal regulatory actions through existing data breach laws. In the review by [29], the focus was on data breach cases before and after the landmark Supreme Court case in Clapper v. Amnesty International USA, 568 US 398. Similarly, in the review by [30] the risks and anxieties that resulted from a data breach were considered. However, [30] reflected on data breach cases differently compared to [29]. As such, [30] have uniquely interconnected the data breach cases, while also using the decision from Clapper as a guide. While several studies focus on data breach laws or lack thereof [29], [30], even fewer studies focus on purposely created laws for cloud services. For example, [31] notes that only three US states are focusing on cloud provider's obligations for data privacy. The three US states are Maryland, Nevada and Massachusetts. Even at this level of detail, [31] notes that laws are focusing on the cloud provider and their customers (i.e. cloud customers, i.e., businesses) and not on end-users (i.e. consumers/citizens). While progress has been made in terms of data protection, significant roadblocks continue to pose threats to end-users and their PII and financial information. These bring unforeseeable issues to end-user privacy rights, data protection, and the misuse of data.

B. Research Contribution

Of the data breaches noted in the literature review, this article will investigate three cases as they pertain to the cloud: 2011 Sony PlayStation Network (PSN), 2014 eBay and 2014 Yahoo! data breaches. These cases are predominantly investigated from the consumer perspective, using US court case notes. The study's purpose is to:

  1. retell the story of the data breach event for each case;

  2. identify the unintended consequences of the disclosure to end-users;

  3. describe the consumer's response to the data breach; and

  4. consider a way forward, offering recommendations.



This article is an original presentation of precedent pertaining to Sony PSN, eBay Inc and Yahoo!. A precedent is a ruling that has been established in a previous legal case that may offer a court a consistent view of how to judge a current case that is closely aligned. Precedent can act in lieu of inadequate evidence, or prohibitive investigative costs and/or limited public interest law resources, to support or deny allegations for the misuse of data.

SECTION IV.

Methodology

This study employed a qualitative approach to investigate three cloud computing data breaches, presenting a descriptive narrative that explored each data breach separately before offering a cross-case comparison, followed by a discussion and recommendations. Data breaches in the US context were chosen given the maturity of the cloud computing market, the transnational impact of global subscribers, and the individualized stance that each state had in dealing with computer hacks and identity theft and fraud cases. Each case study was explored over a two-year timeframe. This allowed for the use of case notes that provided additional coverage of content, as court proceedings were still in motion.

A. Unit of Analysis

While each case study presented in this article is linked to a business, the unit of analysis is a data breach incident, i.e., a single event of a hacker penetrating a cloud computing service provider. It is not just the law that matters in this context, but the socio-technical dimensions as well [45]. The methodological approach taken in this research project was based on case law. Case law is a legal research approach that focuses on past legal decisions, to resolve ambiguities in a current case [32].

B. Data Collection

Case notes offer unique characteristics that cannot be ignored. They contain both elements of primary and secondary sources of evidence; importantly a procedural history of the case in question. Case notes also summarize the decisions reached by each judge, noting any dissent or disagreement. They also bring key legal issues to the surface and provide an analysis of the judicial decisions and application of the law. Case notes also serve the purpose of presenting information based on prior court case outcomes and factual evidence. They allow for the presentation of information otherwise not reported on in other data collection types (e.g. peer-reviewed papers, trade journals or popular media). This is significant because individual data breach cases take years to resolve, and with time, more pertinent evidence can emerge, shedding light on specific contextual circumstances of a given case. A significant number of data breach cases that have relied on case notes indicate that organizations have neglected the values of privacy and security that end-users (i.e. plaintiffs) have assumed with the digital services they interact. For example, [33] stated that the 2015 OPM data breach was the direct result of untested security systems. These findings purely came from case notes related to data breaches, known as a low-cost legal resource [34].

1) Scope

The data collection process consisted of three parts. The first part determined the search terms and included: “[case name]” and “breach*” and “privacy” and “security”. The second outlined the search dates, which were from the initial public notification of the data breach to a period of two-years. The third part consisted of determining the jurisdiction on which the case notes were to be collected. It was determined that US district, circuit and supreme case notes were to be collected for the main reason that the biggest cloud computing service providers are headquartered in the United States of America. The case notes were collected from LexisNexis US Research and Westlaw International databases.

C. Data Analysis

After the exhaustive data collection of case notes, a qualitative analysis took place. A strict process of identifying the main plaintiff allegations, the defendant's position, and other related pertinent case material was gathered. The court's actions were also recorded, as was the reasoning behind its ruling(s). Importantly, even indirect issues to data breaches were noted, in the event they contributed to an actual data breach. The brief narrative on each case study presented in section V, provides a case study setting, sheds light on the complex nature of data breaches, the main issues caused by data breaches, and the risks posed to end-users as well as the tangible and intangible costs that follow a significant data breach.

SECTION V.

Case One: The 2011 Sony Playstation Network Data Breach

The first of a three-part case study design consisted of the 2011 Sony PSN data breach. The data breach disclosed personally identifiable information (PII) and financial information from more than 100 million end-users globally on April 26, 2011. The data breach also impacted the use and availability of the gaming network over a two-week period in April of 2011. Sony delayed notifying its end-user base and it was not until May 2, 2011, that the company distributed a press release stating its cloud network was hacked and end-user data was disclosed. Within days of Sony notifying end-users, immediate class action lawsuits were filed against Sony for their inadequate data protection and allegations filed on the misuse of data [1].

The case notes from the Sony case study reflected a range of socio-technical issues, especially from the allegations of end-users on the misuse of data. The plaintiffs in the case notes stated that the disclosure of their data heightened their risk of identity (ID) theft. In Anderson v. Hannaford Bros Co., 659 F.3d 151, the court applied the ruling from Melancon v. La. Office of Student Fin. Assistance, 567 F.Supp.2d 873, in that the plaintiffs “did not have a reasonable basis for purchasing credit monitoring services and could not claim those costs as cognizable damages.” It is important to note that the two cases present unique situations. In Anderson, the defendant suffered a data breach from an intrusion to its enterprise network, while in Melancon, the defendant alleged the plaintiff's data was misplaced. In the case note, People v. M. 31 Misc., 3d 1236(A), the plaintiff alleged the defendant accessed their data “from a file cabinet” to which the “defendant had access while they were living together.” The plaintiff in People also alleged the defendant opened an account with their PII, social security number (SSN) and mother's maiden name. Furthermore, the case note reported that the disclosed plaintiff's data caused them to experience ID theft and fraud.

The case notes reported that from the disclosure of the plaintiff's data, there is an increased likelihood their data could be misused at a later time resulting in financial loss. For example, In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 2012 WL 4849054, the plaintiffs alleged their data could be misused. The plaintiffs applied the ruling from Krottner v. Starbucks Corp., 628 F.3d 1139, 1143, in which the Ninth Circuit granted allegations that when “personal information has been stolen but not yet misused, plaintiffs have suffered an injury sufficient to confer standing under Article III.” Conversely, In re iPhone Application Litigation, 844 F.Supp.2d 1040, the plaintiffs alleged the defendant permitted third party applications to collect and make use of their personal information including geolocation information.

SECTION VI.

Case Two: The 2014 eBay, Inc. Data Breach

The second case study investigated the 2014 eBay, Inc. data breach. The data breach was a result of hackers targeting the company's employees through social engineering attacks and insufficient security practices. The data breach also resulted in more than 145 million end-users having their data disclosed, including names, date of birth (DOB), physical addresses, email addresses, telephone numbers and passwords. While the data breach occurred during February and March of 2014, end-users and the general public were notified on May 22, 2014. As a result, immediate class action lawsuits were filed against eBay [35].

The misuse of data within the eBay case study is dominated by issues surrounding the use of the plaintiffs' disclosed data for illicit purposes. The case notes reported that the plaintiffs' allegations on the misuse of data, including the risk of illicit PII use were purely speculative. In Green v. eBay Inc., 2015 WL 2066531, the District Court for the Eastern District of Louisiana dismissed the plaintiff's allegation that their data could be misused. The court held: “Plaintiff does not allege that he has been injured by misuse of the stolen information[,] … that anyone has used his password.” Similarly, In re SuperValu, Inc., Customer Data Security Breach Litigation, 2016 WL 81792., the District Court for the District of Minnesota dismissed the plaintiffs' allegation on misuse of data as the “plaintiffs' data has not been misused following the breach, the vast majority of courts have held that the risk of future identity theft or fraud is too speculative to constitute an injury in fact for purposes of Article III standing.” In re Anthem Inc Data Breach Litigation, 162 F.Supp.3d 953, the plaintiffs alleged that the defendant failed to protect the PII and healthcare information for 80 million customers, and as a result, their data would be misused. The three cases present important stances on the misuse of data and the overall scheme of allegations. For instance, the courts are uniquely positioned to dismiss allegations, as the plaintiffs were not able to demonstrate injury-in-fact.

Alternatively, one case note reported the misuse of data occurring from the data breaches as somewhat likely. The misuse of data may lead to undesirable consequences, such as plaintiffs monitoring their online accounts more frequently. In this situation, the court granted the plaintiffs' allegations on the misuse of data and the likelihood of hackers able to impersonate the plaintiffs. In re Adobe Systems, Inc., Privacy Litigation, 66 F.Supp.3d 1197, the court granted the plaintiffs' misuse of data allegations and emphasized: “why would hackers target and steal personal customer data if not to misuse it and declines to follow it.” The court, In re Adobe Systems, Inc., “finds that Plaintiffs' allegations of a concrete and imminent threat of future harm suffice to establish Article III injury-in-fact at the pleadings stage.” Therefore, the primary concern of the court was to determine the ambition of the hackers disclosing the plaintiffs' data.

SECTION VII.

Case Three: The 2014 Yahoo!, Inc. Data Breach

The final case study investigated the 2014 Yahoo! data breach that impacted over 500 million end-users globally, and disclosed their names, DOB, email addresses, telephone numbers, passwords and security questions and answers (Q&A). The Yahoo! data breach was unique in that security Q&A presented additional data unique to the end-users. Yahoo! notified end-users and the general public on September 22, 2016, more than two years after the initial data was disclosed. Following the trend of the Sony and eBay data breaches, class action lawsuits were filed, and immediate attention was pointed on the legal outcomes [21].

The Yahoo! case study focused on the misuse of data from the disclosure of the plaintiffs' PII and financial information. The major concern of the misuse of data is that it could result in negative sentiments related to the social implications of technology, including the invasion of privacy, having experienced harm and having the data already misused. For example, In re Yahoo! Inc Customer Data Security Breach Litigation 2017 WL 3727318, the plaintiffs alleged that the defendant failed to protect their PII that later “appeared on the dark web and has indeed remained for sale on the dark web as late as March 17, 2017.” The plaintiffs “Essar, Dugas, Matthew Ridolfo, Deana Ridolfo, and Heines” also alleged, “their stolen personal information has already been misused.” The plaintiffs relied on the outcomes from Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, as once the “stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.” In the two cases, the concept of freely available PII on the dark web presents important social implications.

Several case notes reported that the plaintiffs' disclosed data did not have significant harm. For instance, In re Yahoo! Inc Customer Data Sec., the defendant relied on the outcome of Antman v. Uber Technologies, Inc., 2015 WL 6123054, where the plaintiff “failed to allege a sufficiently plausible causal connection between the breach of Uber's servers and the plaintiff's allegations.” Similarly, In re Anthem, Inc. Data Breach Litig., 2018 US Dist. LEXIS 140137, the defendant argued that the “plaintiffs' entire case or at least large swaths of the case depended upon the assertion that an imminent risk that hackers will misuse the data obtained in the breach.” That is, a more significant degree of emphasis is placed on whether the disclosed data could be misused imminently rather than speculating that the data could be used later.

SECTION VIII.

Discussion

A. Cross-Case Comparison of Data Breaches

Table 1. Cross-case data breach case comparison of compromised personally identifiable information (pii)

The Sony case study consisted of plaintiffs alleging that defendants failed to protect their personally identifiable information (PII). The court case notes also reported that plaintiffs were aware of the potential dangers associated with data collection by Sony PSN. So anxious did some end-users become over the Sony PSN data breach, that plaintiffs noted it caused them to monitor their financial accounts and in certain situations, even purchase credit monitoring services to preclude anything happening to their credit rating. The plaintiffs also emphasized that their personal details may have been made available to third party software providers without their explicit consent. In the eBay data breach, it was suggested that the misuse of the plaintiffs' data had repercussions on future injury-in-fact. Yet the court determined that the misuse of data was purely speculative, as the plaintiffs had not sustained any provable immediate harm. In the Yahoo! case study, the plaintiffs alleged that the disclosed data was more susceptible to being misused by hackers, e.g., on the dark web. Like in the eBay case, Yahoo! dismissed allegations that had no injury-in-fact. They claimed the plaintiffs had not presented concrete scenarios where PII and financial data had been misused. It is a difficult conclusion to come to from the side of the consumer. If no risk is ever-present with respect to PII being made available online in an unauthorized way, then one is led to ask the question, why have any security at all, on any system? Trying to adequately deduce a dollar figure for potential harm of PII is near impossible, although lawyers in support of the consumer position have come close to advocating for such a possibility [36].

Table I provides a cross-case comparison of the PII disclosed in each of the data breach incidents.

The three data breach case studies demonstrated the inability for end-users to be compensated for disclosures, and the slow US court process. The cases also highlighted the various types of disclosed end-user data. As consumers re-use usernames and passwords, one can only speculate the potential magnitude of such data breaches that implicated hundreds of millions of end-users, across applications on the cloud. Additionally, the stakes over time of illegally accessible PII will simply increase, inclusive of even more sensitive data being breached, if in fact it continues to be collected by businesses. The main argument made by end-users is that disclosure will almost certainly lead to the misuse of data, identity theft and fraud. Proving this real risk [37], seems almost impossible on scale, as the courts point to evidence of injury-in-fact.

B. The Case for Consumer Class Action

There is a growing trend for end-users to opt for consumer law class actions. This is usually as a result that tens of millions of people have suffered exactly the same loss in their personally identifiable information being disclosed. The power imbalance between corporates and consumers is evident, both from legal and financial resourcing perspectives. Thus, consumers are more likely to mitigate the risks associated with litigation by joining forces in solidarity with others who have also fallen victim to the same data breach [38]. By grouping claims together, their overall value increases, shifting the power imbalance, and demanding for the defendants to recompense individual end-users grows. Class actions are often complex undertakings, but even without compensation, they act to raise awareness of the given scale of the problem in the courts. A consumer class action is a group-based claim that is pursuant of individual financial losses suffered as a result of a breach of consumer protection laws, e.g. in this instance insecure online products or services that might impact an individual's safety, identity and more [39]. It might well be, that several outcomes are met by consumer class actions, predominantly holding large corporate players accountable for the data they gather.

End-users are rapidly going to the courts for their stories to be heard and for financial settlements [40]. It is important to underscore that the outcomes of the court cases were not always within the designated two-year timeframe of the case law data collection. This demonstrates the long and drawn-out process from initiating plaintiff allegations against defendants, granting court approval for class action to commence, and for the verdict to be decided. It is important to factor in prior court proceedings and the outcomes that have derived. For example, 2011 Sony PSN class actions were not finalised until 2014, and 2014 Yahoo! class actions were not finalised until 2019. Therefore, the court cases serve as the roadmap for future data breaches. Past class actions also serve the purpose of knowledge illuminating how progress in data breach case law is achieved. These outcomes closely aligned to previous data breach studies, including [29] and [30], in that cases are resolved years later.

Advancements in other jurisdictions outside of the US such as the EU have seen significant boosts to end-user data protection. For example, the General Data Protection Regulation (GDPR) has to date fined companies for improper data protection and disclosure of end-user data. While it is outside the scope of this study, the progress in the EU has allowed other jurisdictions to rethink data protection strategies. This claim is consistent with the outcome in [41, p. 5028].

C. Reflections on the Misuse of End-User Data

Class actions were a way for end-users to deal with the data breach problem. Some end-users were concerned that their data would be misused given that hackers retrieved sensitive and personal information about them. The class actions from some case notes were detailed and contained outcomes, while others tend to cite class actions with no outcomes. The Sony case study provided minimal insights, while the eBay and Yahoo! case studies heavily cited class actions. For instance, in Green v. eBay, Inc., 2015 WL 2066531, the plaintiff responded that they had suffered economic damages and ID theft, and that the defendant had failed to secure the plaintiffs' personally identifiable information (PII). In a more substantial case, In re Anthem Inc Data Breach Litigation, 162 F.Supp.3d 953, the plaintiffs sought a class action on behalf of 80 million individuals. In Green, the class action was dismissed, and all allegations of ID theft were not adequately satisfied. In re Anthem Inc Data Breach Litigation, the outcome was not settled within the eBay case study; however, the litigation carried across to the Yahoo! case study. In re Anthem, Inc. Data Breach Litig., 2018 US Dist. LEXIS 140137, the plaintiffs were more often concerned that their data could be used to commit ID fraud, and some even worried this would lead to financial ruin.

D. Recommendations for Cloud Providers and Customers

The case notes presented in this study show that a subset of cloud stakeholders within the value chain are susceptible to data breaches. The US courts have also shown that proceedings take considerable amounts of time to be finalised; a more immediate course of action is necessary that provides the appropriate protections to those stakeholders that become vulnerable as a result the data breaches. Therefore, cloud providers and customers need to implement better risk mitigation strategies [42], as per the following five recommendations:

  1. Explicit incorporation of end-user requirements in the Service Level Agreement between cloud providers and cloud business customers;

  2. Development and integration of big data governance strategies, that identify the need for privacy impact assessments (PIAs) and other data-centric risk assessments when dealing specifically with cloud providers;

  3. Proactive socio-technical approach to identifying data breach risks, and considering the design, development and implementation of appropriate mitigation strategies, with an emphasis on the role of machine-based AI attacks;

  4. Investment in ethical hacking strategies and better penetration testing by cloud computing providers, ensuring adequate budgets are set aside for “soft” and “hard” security measures [46];

  5. Enhanced training and education programs for employees of cloud computing providers and customers, against the potential for social engineering attacks (i.e., non-technical attacks).


Risk mitigation can be a form of identifying network vulnerabilities and applying fixes prior to data disclosures; or if a disclosure occurs, completing a security lifecycle, and learning from the experience to ensure the same breach does not happen again. Cloud providers and business customers also need to better protect their employees from social engineering attacks and embed this effort within their risk management strategies. The case notes discuss the process of how the hackers penetrated the cloud providers and customers defences; thus, we can apply lessons from these to better protect against future data breaches. It is equally as important to understand that not all data breaches are avoidable. Hackers and organised crime groups are constantly pushing the threat vector higher and higher, especially with the adoption of emergent hacking techniques that make use of state-of-the-art artificial intelligence machine-based attacks. This recommendation is generally targeted at minimising the risk landscape to reduce data breach exposure.

E. Recommendations for End-Users/Consumers/Citizens

The power of end-users is in numbers. This article has demonstrated clearly that the consumer has several actions for recourse in the US market, and each action yields quite different results. It is recommended that end-users:

  1. Continue to raise awareness about high profile data breaches and their impact, through consumer law class actions. This recommendation calls for more public interest lawyers to take on cases pro-bono;

  2. Advocate for stronger consumer protection laws in their jurisdiction;

  3. Lobby for mandatory data breach notification laws to be enforced by oversight government agencies, better data protection, and better compliance and enforcement through their local representatives;

  4. Demand changes to terms and conditions of the businesses that they interact with online, to ensure that they are not negatively affected by the collection of personally identifiable information; and

  5. Request from businesses they interact with that their PII is encrypted and de-identified, so even if a breach occurs on the cloud, that they are in some way protected, from a technical perspective, by the business.

While end-users continue to seek recompense for disclosures and possible identity theft and fraud, or the misuse of their data, the reality for now, is that businesses and cloud providers will push back, demanding evidence for injuries suffered as a result of data breaches. As with SLAs, metrics between buyer and supplier are explicit, and we need to consider what kind of agreement might stand between an end-user and a business that uses the cloud for their online service offerings. Better audits and logs may well aid in ultimately proving how a single disclosure may negatively impact a single individual, especially given the economic impact may be asymmetric. This is a call for new methods of accountability and practice in the protection of the consumer.

SECTION IX.

Conclusion

The use of cloud computing has meant a massive shift in how businesses and governments operate and manage their infrastructure and services. As a result of cloud computing consumption, there is a growing trend in data breaches, whereby hackers retrieve and disclose end-user data. The research has fulfilled R1 with respect to seeking to answer what kind of recourse a consumer may have when their personal information has been disclosed. The study has two main outcomes. The first is that the trend shown in the case studies, i.e., the unauthorized access of personally identifiable information will likely continue. Since 2007, cloud services of all types have been targeted. Hackers have been able to expose defenses from some of the most well-known and respected businesses. The likes of Sony Corp., eBay, Inc. and Yahoo!, Inc. have fallen victim to cybercrime from the organized crime groups behind these attacks.

The second outcome is that end-users have gone to the courts with allegations of the misuse of data and thus seeking financial settlement. As a result of cloud providers and customers not being held accountable for their actions, and as a result of insufficient data protection, end-users are eager to find alternative ways to claim compensation against the future misuse of data. End-users are alleging that an increased harm would result as their data could be disclosed and sold on the dark web. ID theft and fraud were other areas of concern for end-users due to significant disclosures. End-users continue to go down the path of consumer law class action to demonstrate risk and potential harm in the hope of financial settlement. Despite repeated attempts to establish that hackers have already misused end-user data, the courts have denied these allegations and said they are based on speculation. These cases demonstrate the complexity of navigating the online world, and the ongoing plight of end-users who want to find justice when their property, i.e., personally identifiable information has been compromised. Revisiting US state-based data breach regulation would also be a way to potentially reduce the number of data breaches occurring, if the penalties were commensurate to the size of the data breach, it would be yet another key future research area.

ACKNOWLEDGMENT

We would like to thank Terri Bookman for her editorial support. We would also like to thank the anonymous reviewers who supported us through several rounds of reviews to strengthen the underlying thesis of this paper.

References

1. S. Goode, H. Hoehle, V. Venkatesh and S. A. Brown, “User Compensation as a Data Breach Recovery Action: An Investigation of the Sony PlayStation Network Breach ”, MIS Quarterly, vol. 41, no. 3, 2017, pp. 703–727.

2. T. N. Foster, “Navigating through the fog of cloud computing contracts ”, J. Marshall J. Info. Tech. Privacy L., 30, 2013, p. 13.

3. M.G. Michael, and K. Michael, “National Security: The Social Implications of the Politics of Transparency,” Prometheus, vol. 24, no. 4, 2006, pp. 359–64.

4. D. Kolevski, K. Michael, R. Abbas and M. Freeman, “Stakeholders in the Cloud Computing Value Chain: A Socio-Technical Review of Data Breach Literature ”, in 2020 International Symposium on Technology and Society, Phoenix, Arizona, 2020, pp. 1–5.

5. S. Marston, Z. Li, S. Bandyopadhyay, J. Zhang and A. Ghalsasi, “Cloud Computing - The Business Perspective,” Decision Support Systems, vol. 51, 2011, pp. 176–189.

6. N. Rastogi, M. J. K. Gloria and J. Hendler, “Security and Privacy of Performing Data Analytics in the Cloud,” Journal of Information Policy, vol. 5, 2015, pp. 129–154.

7. J. Cleland-Huang, T. Denning, T. Kohno, F. Shull, and S. Weber, “Keeping Ahead of Our Adversaries,” IEEE Software, vol. 33, 2016, pp. 24–28.

8. B. De Bruin and L. Floridi, “The Ethics of Cloud Computing,” Science and Engineering Ethics, vol. 23, 2017, pp. 21–39.

9. N. Borenstein and J. Blake, “Cloud Computing Standards: Wheres the Beef?,” IEEE Internet Computing, vol. 15, 2011, pp. 74–78.

10. D. Kolevski and K. Michael, “Cloud computing data breaches a sociotechnical review of literature,” 2015 International Conference on Green Computing and Internet of Things (ICGCIoT), Greater Noida, India, 2015, pp. 1486–1495.

11. B. Varghese and R. Buyya, “Next generation cloud computing: New trends and research directions,” Future Generation Computer Systems, vol. 79, 2018, pp. 849–861.

12. Y. Zhang, X. Lan, J. Ren, and L. Cai, “Efficient Computing Resource Sharing for Mobile Edge-Cloud Computing Networks,” IEEE/ACM Transactions on Networking, vol. 28, 2020, pp. 1227–1240.

13. S. Dongre, S. Mishra, C. Romanowski and M. Buddhadev, “Quantifying the costs of data breaches ”, International Conference on Critical Infrastructure Protection, March 2019, pp. 3–16, Springer, Cham.

14. OAIC, “Notifiable data breaches ”, Office of the Australian Information Commissioer, Accessed July 13, 2021, https://www.oaic.gov.au/privacy/notifiable-data-breaches/

15. M. Burdon, B. Lane, P. von Nessen, “Data breach notification law in the EU and Australia - Where to now? ”, Computer Law Security Review, vol. 28, issue 3, 2012, pp. 296–307, https://doi.org/10.1016/j.clsr.2012.03.007

16. N.J. King and V.T. Raja, “Protecting the privacy and security of sensitive customer data in the cloud ”, Computer Law Security Review, 28 ( 3 ), 2012, pp. 308–319.

17. E. Goldberg, “Preventing a data breach from becoming a disaster ”, Journal of Business Continuity Emergency Planning, 6 ( 4 ), 2013, pp. 295–303.

18. E. Holbrook, “The mother of all data breaches ”, Risk Management, vol. 57, no. 9, 2010, pp. 18–20.

19. M. Ahmed, H.R. Kambam, Y. Liu, M. N. Uddin, “Impact of Human Factors in Cloud Data Breach ”, International Conference on Intelligent and Interactive Systems and Applications, June 2019, pp. 568–577, Springer, Cham.

20. L. Franceschi-Bicchierai, “Hackers Stole 65 Million Passwords From Tumblr, New Analysis Reveals ”, Motherboard, Vice Media, 30 May 2016, https://www.vice.com/en/article/8q88k5/hackers-stole-68-million-passwords-from-tumblr-new-analysis-reveals

21. L. J. Trautman and P. C. Ormerod, “Corporate Directors and Officers Cybersecurity Standard of Care: The Yahoo Data Breach ”, 66, Am. U. L. Rev., 2016 - 17, p. 1231.

22. T. Minkus and K.W. Ross, “I know what youre buying: Privacy breaches on eBay ”, International Symposium on Privacy Enhancing Technologies Symposium, July 2014, pp. 164–183, Springer, Cham.

23. J. Silverstein, “Hundreds of millions of Facebook user records were exposed on Amazon cloud server ”. cbsnews.com, 4 April 2019, https://www.cbsnews.com/news/millions-facebook-user-records-exposed-amazon-cloud-server/

24. R. Price, “Facebook says it ‘unintentionally uploaded’ 1.5 million peoples email contacts without their consent ”, Businessinsider.com, 19 April 2019, https://www.businessinsider.com.au/facebook-uploaded-1-5-million-users-email-contacts-without-permission-2019-4?r=US=T

25. CBS, “Over 267 Million Facebook Users Have Account Info Exposed On Dark Web In Massive Data Breach ”. CBS Local, 20 December 2019, https://newyork.cbslocal.com/2019/12/20/facebook-dark-web-data-breach/

26. Y. Lagos, “Taking the personal out of data: Making sense of de-identification ”, Ind. L. Rev., 48, 2014, p. 187.

27. L. Bonner, “Cyber risk: How the 2011 Sony data breach and the need for cyber risk insurance policies should direct the federal response to rising data breaches ”, Wash. UJL Poly, 40, 2012, p. 257.

28. F. Cafaggi, “Collective enforcement of consumer law: a framework for comparative assessment ”, European Review of Private Law, 16 ( 3 ), 2008.

29. B. C. Mank, “Data breaches, identity theft, and Article III standing: Will the supreme court resolve the split in the circuits? ” Notre Dame Law Review, vol. 92, 2017, pp. 1323–1368.

30. D. J. Solove and D. K. Citron, “Risk and anxiety: A theory of data-breach harms,” Texas Law Review, vol. 96, 2018, pp. 737–786.

31. J. A. Harshbarger, “Cloud Computing Providers and Data Security Law: Building Trust with United States Companies,” Journal of Technology Law Policy, vol. 16, 2011, pp. 229–256.

32. J. P. Lomio and H. Spang-Hanssen, Legal Research Methods in a Modern World: A Coursebook, 2011, Copenhagen : Djøf Forlag.

33. C. A. Seeley, “Once more unto the breach: The constitutional right to informational privacy and the privacy act,” New York University Law Review, vol. 91, 2016, pp. 1355–1385.

34. C. A. Levitt and J. K. Davis, Internet Legal Research on a Budget: Free and Low-Cost Resources for Lawyers, 2014, American Bar Association.

35. T. A. Hemphill and P. Longstreet, “Financial data breaches in the US retail economy: Restoring confidence in information technology security standards ”. Technology in Society, vol. 44, 2016, pp. 30–38.

36. J. A. Fisher, “Secure my data or pay the price: Consumer remedy for the negligent enablement of data breach ”, Wm. Mary Bus. L. Rev., 4, 2012, p. 215.

37. N. Green, “Standing in the Future: The Case for a Substantial Risk Theory of Injury in Fact in Consumer Data Breach Class Actions ”, BCL Rev., 58, 2017, p. 287.

38. D.A. Bishop, “No Harm, No Foul: Limits on Damages Awards for Individuals Subject to a Data Breach ”, Washington Journal of Law, Technology Arts, 4 ( 4 ), 2008, p. 12.

39. S. Romanosky, D. Hoffman, and A. Acquisti, “Empirical analysis of data breach litigation ”, Journal of Empirical Legal Studies, 11 ( 1 ), 2014, pp. 74–104.

40. D.J. Marcus, “The Data Breach Dilemma: Proactive Solutions for Protecting Consumers Personal Information ”, Duke LJ, 68, 2018, p. 555.

41. N. Gruschka, V. Mavroeidis, K. Vishi, and M. Jensen, “Privacy Issues and Data Protection in Big Data: A Case Study Analysis under GDPR,” in 2018 IEEE International Conference on Big Data (Big Data), 2018, pp. 5027–5033.

42. D.E. Salane, “Are Large Scale Data Breaches Inevitable? ”, Cyber Infrastructure Protection, 2009, 9.

43. R. Abbas, “Location-based services (LBS) regulation in Australia: a socio-technical approach ”, PhD Thesis, University of Wollongong, 2012, https://ro.uow.edu.au/theses/3666

44. L.B. Moses, “How to think about law, regulation and technology: Problems with ‘technology’ as a regulatory target ”, Law, Innovation and Technology, vol. 5, no. 1, 2013, pp. 1–20.

45. R. Abbas, K. Michael, M.G. Michael, “The regulatory considerations and ethical dilemmas of location-based services (LBS): A literature review ”, Information Technology People, vol. 27, no. 1, 2014, pp. 2–20.

46. L. Rasmusson, S. Jansson, “Simulated Social Control for Secure Internet Commerce ”, in C. Meadows (ed.), Proceedings of the 1996 New Security Paradigms Workshop. Association for Computing Machinery, 1996.

Authors

David Kolevski

School of Computing and Information Technology, University of Wollongong, Wollongong, Australia

Katina Michael

School for the Future of Innovation in Society, Arizona State University, Tempe, Arizona

Roba Abbas

School of Business, University of Wollongong, Wollongong, Australia

Mark Freeman

School of Computing and Information Technology, University of Wollongong, Wollongong, Australia

Citation: D. Kolevski, K. Michael, R. Abbas and M. Freeman, "Cloud Data Breach Disclosures: the Consumer and their Personally Identifiable Information (PII)?," 2021 IEEE Conference on Norbert Wiener in the 21st Century (21CW), Chennai, India, 2021, pp. 1-9, doi: 10.1109/21CW48944.2021.9532579.

Previous
Previous

Designing online/offline experiences with children in mind

Next
Next

Anticipating Techno-Economic Fallout: Purpose-Driven Socio-Technical Innovation