Security

06:00 AM
Matthew Porzio
Matthew Porzio
Commentary

Where in the World Should Banks Store Their Data?

Deciding where to house and how to move data involves understanding the relevant legal regimes and the application of risk analysis.



In the wake of Edward Snowden’s revelations about surveillance tactics employed by the NSA, there are increasing concerns about corporate data privacy, and especially about where to house corporate and customer data. The prevalence of cloud computing and cloud-based storage and collaboration services is only exacerbating these concerns. While public pushback and grass-roots reform campaigns are evolving in the US and abroad, the reality remains that banks and financial institutions must operate within jurisdictional parameters. Deciding where to house and how to move your data is an exercise in both understanding the relevant legal regimes and the appropriate application of risk analysis in the decision-making process.

[A new report shows that while more organizations are putting sensitive data in the cloud, few say the data is being encrypted: Making the Cloud Secure for Sensitive Data.]

Location, location, location
In the United States and abroad, we’ve increasingly seen the legislative zeitgeist move towards consumer protection and strengthening data-hosting and transfer protocols with such measures as the Gramm-Leach-Bliley Act and the Data Protection Directive 95/46/EC. With many of today’s corporations operating in multiple territorial jurisdictions, it remains imperative for banks to understand data security, transfer, and retention requirements at every touch point. However, examining the physical location of the data is only the first step. Here are some key criteria when considering the physical location of your data repository:

Relation of data sites to your corporate HQ. Even if a bank or financial institution is headquartered in one location and the data rests in another, if the organization has business interests in foreign jurisdictions, those governments may be able to gain access by virtue of the organization’s presence there. The 1986 Electronic Communications Privacy Act serves as a prime example of a US federal law that has been applied to access a corporation’s servers that were located overseas. While the server may be remote and in a distinct political entity different from the bank that manages it, the laws of the land where the company or organization is headquartered will govern them and will likely require access to information within their “custody.”

Status of mutual legal assistance treaties. Even data that doesn’t reside within a country’s borders and doesn’t transit through that country might still be accessible by that country’s law enforcement and intelligence services. Mutual legal assistance treaties (MLATs) are mechanisms by which one country’s agents may request the assistance of another country in obtaining information over which they don’t have direct physical or legal access. The US currently has an MLAT with 56 foreign governments and a Mutual Legal Assistance Agreement with the People’s Republic of China. The US Treasury Department’s Financial Crimes Enforcement Network also has its own Memorandum of Understanding or an exchange of letters in place with 47 sovereign entities (including Taiwan).

Transit paths of traveling data. It’s important to note that information flow through the Internet is not geographically bound and often moves over the least-congested path. This path may involve transmission through many countries. Any of these countries could claim jurisdiction over data as it passes through their local Internet service providers. Traffic flow can also be hijacked, and recent evidence has shown some major rerouting of strictly North American traffic through international locations. VPNs and other forms of proxy reassignments can further complicate sourcing data origination, and transfer points can lead to multi-jurisdictional claims over data ownership.

The nature or subject matter of your company’s data. The actual content of your data might render it subject to the jurisdiction of some government body, no matter the location. For instance, under Massachusetts state law 201 CMR 17.00, personal information about a resident of the Commonwealth is subject to the data breach notification law, regardless of the affected party’s ties to the Commonwealth or the actual location of the data.

More organizations are finding their international business customers are asking questions about where their data is going. While this has been true for a while with European organizations as a result of the Data Protection Directive’s restrictions on cross-border data flow, even organizations outside the European Union  and United States are starting to pay more attention. They might be concerned about their data, their obligations under the laws of their country, or their customers’ risks and perceptions about treatment of sensitive information.

Many countries have laws that govern the general disclosure of information, allowing several exceptions for law enforcement. They also follow specific legislation that explains the burden of proof that government agencies or law enforcement must meet to gain access. Depending on jurisdiction, this can range from just a request for information to a warrant signed by an independent judiciary based on probable cause of a criminal act. The requirements may vary depending upon the nature of the information: live communications being most sensitive and requiring the highest burden, and relatively static information such as customer lists being the lowest.



Four steps before making the move
Regardless of where you choose to locate your data warehouse, these are steps you should take:

1. Perform a full risk analysis. Any bank should explore the entire range of conceivable threats and their impacts. Where previously a government’s data monitoring and interception activities were deemed as “ordinary course of business” and generally left out of the risk analysis, it’s now an important consideration, given the scope and capabilities of such sophisticated jurisdictions as the United States and the People’s Republic of China. The legal environment must be considered and weighed against other threats and factors.

2. Validate assumptions. The Snowden revelations showed us that governments (both foreign and domestic) can also easily and without recourse, circumvent corporate data security measures, and that insider threats might be more damaging than outside threats. It’s important for banks to know the laws, understand how governments can act on those laws, and not be misled by popular accounts or rumors. The Snowden affair highlights the resolute necessity of corporations to maintain proper in-house Chinese walls, prevent data leakage, and retain complete ability to retrace and recall any information leaks.

3. Encrypt your data in transit and at rest. There have been cases of entire streams of Internet traffic being rerouted through other countries, possibly for government surveillance or fraudulent purposes; data-encryption in transit is a must. Further, when data is being stored, it should be secured with multi-factor encryption keys that do not rest with any single source.

4. Be transparent about law enforcement access. Nearly every set of privacy principles has some form of transparency principle (Fair Information Practice Principles, Data Protection Directive, Privacy by Design, Generally Accepted Privacy Principles). Some laws require providers not to notify their customers in certain cases. Beyond this, you should seek to be as transparent as possible. This not only puts your customers on notice for their own benefit, but might help limit law enforcement placing unnecessary burdens and requests on your business. Also in conjunction with law enforcement access is the necessity to have some federal requirement requiring public company disclosure of data breaches within a given timeframe. Currently, 46 states and the District of Columbia have disparate disclosure timelines. The United States Securities Exchange Commission (SEC) provides active guidance with regard to potential risk profiles that can require disclosure; but even as recently as March 26, 2014, an SEC panel on cyber security concluded that there was still much to be learned about what the SEC’s role should be in changing reporting requirements, according to Commissioner Aguilar. There is also a proposed bill on the floor of the US Senate, S. 1897 -- Personal Data Privacy and Security Act of 2014, which would codify notification requirements for serious data breaches.

Information is one of your most valuable assets, and infrastructure, defense protocol, and remediation policies should be in place against all possible incursions. If your particular organization isn’t sensitive to data access by law enforcement, your customers certainly will be.

Matthew Porzio, Vice President of Strategy and Product Marketing, joined Intralinks in August of 2003. He is responsible for overseeing the Strategic Transactions line of business driving the development and marketing of Intralinks' products including virtual ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Apprentice
7/18/2014 | 4:01:04 PM
Each country has its own rules....
Good advice from Matthew Porzio. Canada has a law that its citizen health care info can't be stored on U.S. servers due to inspections allowed by the Patriot Act. UK, Germany, France, Netherlands all have thier own "right to inspect" laws, I believe, for data on their soil. Data that originates in Germany, can't leave Germany. You need legal expertise to keep track....  
Byurcan
50%
50%
Byurcan,
User Rank: Author
7/17/2014 | 9:51:39 AM
Re: Not all the challenges are tech-based
Yes, especially as the author points out, in instances when data is stored ina  different place than a corporate HQ. Navigating different laws/regulations in different jurisdictions can be an onerous process.
KBurger
50%
50%
KBurger,
User Rank: Author
7/15/2014 | 1:34:09 PM
Not all the challenges are tech-based
This underscores the reality that when it comes to data management, storage, security and just about any kind of technology-based function, sometimes the biggest challenges are not about technology or IT -- sometimes the difficulty has more to do with legal and compliance issues, training, corporate structure, etc. Thanks for the thorough analysis, Matthew.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology Dec. 2, 2014
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.