Additionally, just because data is stored in a cloud doesn’t mean it shouldn’t be backed up locally. An organization should keep track of what information is stored in a cloud (or anywhere), why, and who has access. For example, I’ve seen organizations collecting social security numbers “because it might be useful” or keeping credit card numbers when they don’t have recurring billing.

Does your organization have IT/Cloud use policies. For example, password requirements, only using secure connections, only using secure computers, etc. If it’s not covered in a formal, written plan it’s not risk management.

Any time you store any data anywhere (digitally or physically on paper) you are responsible for the safety and security of that data. The recent Sony and RSA SecureID breeches are perfect examples of worst case scenarios when data is lost. It can cost in terms of business interruption, rebuilding customer databases, changing all usernames & passwords, public relations, reputation loss, etc.

Hope that helps and I hope risk management and insurance evolve with technology use.