BOSTON/NEW YORK The Sony data breach that compromised the personal data of more than 100 million customers of the Japanese electronics conglomerate may claim yet another victim -- the cloud computing industry.
Some businesses are rethinking plans to move to cloud-based computer systems located at remote data centers that can be accessed over the web.
Shares of companies that specialize in cloud computing have been some of top-performing stocks over the past year. But the attack on Sony, as well as a massive outage at Amazon.com Inc's cloud computing center, have caused some businesses to put the brakes on plans to move their operations into the cloud.
"Nobody is secure. Sony is just the tip of this thing," said Eric Johnson, a professor at Dartmouth University who advises large corporations on computer technology strategies.
Since news of the Sony breach broke on April 26, shares of companies involved in cloud computing have underperformed the broader market.
Salesforce.com Inc, a maker of web-delivered software, has dropped 3 percent. VMware Inc, which sells software for building clouds, has declined 2 percent. The Standard & Poor's 500 Index has climbed 3.3 percent.
Experts in digital security say that investors, businesses and consumers have put too much faith in the cloud.
"You don't want to have this trust in the magic of the cloud. It's not that simple," said Mike Logan, president of Axis Technology, a data security company. "It's like Facebook. If you put all this sensitive information there, guess what? People are going to see it."
Cloud computing companies have done a good job convincing customers that their data is safe, even though that may not be the case, said Gartner cloud security analyst Jay Heiser.
"If you're doing anything that is critical to your business, you need contingency plans," Heiser said. "The marketing messages of some cloud computing companies have urged people to gloss over this need for contingency plans."
Consumers trust the cloud to handle services ranging from email to credit reports and filing taxes, usually without first investigating the security of those systems.
"Even services that you think may be secure, such as filing your taxes online, could be compromised," said Murray Jennex, information systems professor at San Diego State University.
Consumers expect a company as large as Sony to protect its data adequately, said Jeff Fox, electronics editor for Consumer Reports Magazine.
"You would have thought a big time reputable company like Sony would be running up-to-date, patched software with an appropriate firewall," he said. "If Sony didn't do this, which other big, reputable companies aren't doing this?"
Because cloud services are so new, there are few standards or best practices for how to store and protect data.
"There's nothing from the government or regulatory industry that says anything about how to run a shop," said Dan Zeiler, director of security and compliance for American Internet Services.
For now, companies generally have little protection against outages and security breaches, said Cynthia Larose, privacy attorney at Mintz Levin.
She expects that to change in the wake of the Sony breach and the Amazon.com's outage, which destroyed the data of a handful of its customers.
Larose added that companies in industries such as healthcare and financial services as well as businesses that own a lot of intellectual property are seeking special insurance plans that protect against cyber thefts.
"There's a pretty broad sweep of companies going out and trying to get these cloud services covered," she said.
Some cloud providers are already seeing their clients trying to negotiate new contracts that put financial penalties on cloud providers for service disruptions or security problems, said Ford Winslow, chief information officer of Abnology, a company that provides cloud services.
He said the first round of contracts for early adopters are coming to an end after three-year deals and companies are seeking better performance and terms for disasters.
(Editing by Steve Orlofsky)