Is user data safe in the cloud?
Minimizing cloud risks
To reduce the chances of a nightmare scenario like that from happening, potential clients shopping around for a cloud service provider need to do their research.
The only way clients can fully understand and control their data is by learning as much as possible and being firm throughout contract negotiations. In the absence of standards like PCI, it's not enough to trust providers to protect your data or take their word for it: companies need to get details on how data will be physically stored, how well it will be encrypted on physical servers that share storage space with other client data, whether the provider employs third parties, and what those companies' operational procedures are. Clients need to be crystal clear in understanding how their data is handled and who within the company or outside the company will have access to it.
In the case of the lost back-up data situation, it almost sounds like a no-brainer that the provider would turn around and notify affected clients about compromised security, but in reality, the company is under no obligation to do so unless their contracts say otherwise. So, requirements for client notification, whether a good or bad situation arises, is a must.
Also worth inquiring about during contract negotiations? "First right of refusal" when hiring third parties, separate physical servers and cabinets, and/or separate data encryption services. Clients won't necessarily be granted such demands -- that depends on their history with the provider and how much they values the business -- but the price of not asking and subsequently suffering a security breech could be immensely high. Of course, some of the worst losses of private data over the last few years have come from the "stolen laptop" syndrome, where data that should've never been on personal computer ended up in the hands of petty thieves (or perhaps worse).
All of this, of course, is vital for companies who are setting up cloud based businesses and do right by their users. Average users generally have no way of knowing how their data is being treated, outside the boilerplate privacy policies that companies post on their websites. Which is to say that short of creating a total information blockade, we are already living in the cloud.