The users of electronic service provider often suffered losses caused by internet services did not work properly including losses due to leakage of personal data protection stored in cloud computing. The study aims to examine electronic service provider liability upon their failure performing internet services properly and security attacks on cloud computing. This study was normative legal research by examining national and international legal materials. The finding shows that the electronic provider shall be responsible based on right and obligation agreed under the agreement. Related to cloud computing, providing adequate security to avoid security attacks and misuse of private data that caused losses to the users becoming the liability of service provider. Based on the Federal Trade Commission Act, the liability arises on the grounds of deceptive and unfair trade practices. Under the General Data Protection Regulation of the European Union, the liability arises on the basis as the controller then provider liable for compensation for user’s suffered damage. In Indonesia, based on the Electronic Information and Transaction Law Amendment, the liability to the owner of personal data whose rights are violated and suffered losses arises due to a failure of ISP protect the data security. For better protection in Indonesia, the protection of big data and clear territorial scope of protection become necessary to consider.