Demonstrating data protection and compliance is mandatory in an increasingly regulatory environment.  Data security, privacy, storage, recovery and disposal must comply with requirements under various laws such as Sarbanes Oxley.  Even where the cloud backup service provider, promises to take care of all aspects of data processing and storage on behalf of the client, the duty to preserve data and ensure its security vests with the data owner. The cloud backup service will provide the physical infrastructure / software for data protection, preservation and compliance. The user still has to make sure that the security algorithms used by the cloud backup vendor does what it promises and does not in any way corrupt the data stores that are transmitted to the remote third party server in the cloud. They need to ensure that only authenticated and authorized users access the data store and the data is discoverable for all legal purposes.

Cloud backup subscribers must check whether the data location and privacy provided by the cloud backup service aligns with state, federal and local regulations. While cloud backup service providers have a duty to inform their customers regarding the location of the data in the cloud, subscribers have a duty to ensure that the location of the data store is not in violation of any existing mandate.

Authentication is a business and regulatory imperative. Cloud backup service subscribers must evaluate the strength of the user management system provided by the service provider. The authentication protocols must extend to password change requests, forgot password requests or any other kind of administrative changes that may be requested by users. The system must have the facility to track and log user activity and to generate alerts when unusual or unauthorized access events occur. The purpose is to ensure that unauthorized users do not get access to information by electronically donning the garb of an employee.

The data deletion and disposition must be policy driven and completely in compliance with legally mandated requirements.  Safe harbors are only available for data that is lost and unrecoverable due to regular business processes. All other data losses are subject to spoliation claims and duty to preserve. Tardy deletion cannot be blamed on the cloud backup service provider. The business must institute proper deletion process.

In short, the duty to preserve information under legislated acts remains vested in the user and not the cloud service provider even when the cloud backup service SLAs promise data protection to the user!