Frequent viewers of SiliconANGLE’s theCUBE are most often provided insight to trends, products and companies by a host of tech executives, practitioners, analysts, marketers and other members of the press. Host Jeff Frick welcomed a guest whose specific expertise is markedly important for ensuring the peace of mind of the Enterprise and the general public as wide-scale data storage and cloud computing become the norm. Keith Moulsdale, a partner with the law firm of Whiteford, Taylor and Preston, specializes in cyber security.

Starting off the conversation, Frick asked Moulsdale to point out what he considers the hot button issues facing the industry. “Most people don’t understand what their obligations are with smaller companies, non-profits and trade associations,” Moulsdale began. “Larger companies understand their obligations and act on it.”

With the recent Target consumer data breach as a use case, Moulsdale walked through the obligations of a large company when the worst-case scenario occurs.

“They are estimating total liability to both Target and their vendors of $18 billion,” he stated. “In the case of a breach, you have to figure out immediately what happened. You have to hire forensic investigators to figure it out. There is that huge expense. Then hiring lawyers. That is expensive. But the biggest obligation is notifying affected individuals.”

Watch the interview in its entirety here:

With the exception of established compliances like HIPAA and ITAR, Moulsdale explains, federal and state laws have not been written to pair well together. The discrepancy between the two make recognizing compliance obligations very complicated.

With the advent of IaaS vendors like AWS and other 3^rd party providers, Frick asked how the differences between state and federal compliance issues were being addressed.

With the strictest state mandated security laws in the nation, Massachusetts requires that a company’s obligations flow out to their vendor. “You can’t just throw it to them and be shielded,” Moulsdale claimed. “It requires due diligence on the front end making sure you do it right.” Of course, that is the easy part of the equation. In the event there is a breach, according to Moulsdale, “it becomes more complicated because the breach occurs offsite and, depending on the provider, they don’t necessarily want to give you direct access.”

In light of 3^rd party vendors virtualizing data and importing into a Cloud environment, Frick asked Moulsdale how the law determined location for jurisdictional purposes. “The law lags behind, always,” Moulsdale offered. “But if you hire 3^rd party, you need to know where your virtualized data is located. You can’t just shirk it off.”

If you aren’t a large-scale corporation, chances are that when you are securing services from a vendor, your required to simply submit to a basic boilerplate agreement. “What happens if you click on a ‘yes’ and it goes to a court of law,” asked Frick. “It’s interesting,” replied Moulsdale, “because the consumer has no leverage. They can’t alter terms if they want to use the product. But there are consumer protection measures. The FTC can step-in when they believe the vendor is not acting above board.” Of course, the FTC doesn’t initiate action until there have been several incidences reported. Even then they allow the vendor several opportunities to correct their behavior before they bring action against them.

The continued expansion of IaaS, contends Frick, could be leading to a collision course between conflicting compliance laws. “I think you’re right,” replied Moulsdale. “Unfortunately for most people, it’s good business for me.” In addressing compliance between the US and EU over the previous decade, Moulsdale points out how data was covered by safe harbor law. “Now, there are huge amounts of data and huge amounts of risk and the US and EU are on track to conflict legally.”

That conflict, presumably centered around privacy, led to Frick’s asking how the entire concept of privacy is evolving from a legal perspective. “Privacy is diminishing by the day,” Moulsdale answered. “Age and culture leads to different feelings about privacy. The obligation of our generation is to help the younger protect what we have had and enjoyed.”

Clearly, as we move forward into the new paradigms surrounding Cloud computing and data storage, medium and small companies will want to employ a legal strategy in tandem with their technical strategy to ensure full understanding of their specific compliance obligations.