A cloud service provider is used to perform analytics on an organization’s sensitive data. A data
leakage incident occurs in the service provider’s network. From a regulatory perspective, the
organization is responsible for the data breach. This is because the organization is the data owner
and has the ultimate accountability and liability for the security and privacy of its data, regardless of
where it is stored or processed. The organization cannot transfer or delegate its responsibility to the
service provider, even if there is a contractual agreement or service level agreement that specifies
the security obligations of the service provider. The other options are not correct, because they
either imply that the service provider is responsible (A), or that the responsibility depends on the
nature of breach (B) or specific regulatory requirements C, which are not relevant factors.
