In the wake of Edward Snowden’s revelations about surveillance tactics employed by the NSA, there are increasing concerns about corporate data privacy, and especially about where to house corporate and customer data. The prevalence of cloud computing and cloud-based storage and collaboration services is only exacerbating these concerns. While public pushback and grass-roots reform campaigns are evolving in the US and abroad, the reality remains that banks and financial institutions must operate within jurisdictional parameters. Deciding where to house and how to move your data is an exercise in both understanding the relevant legal regimes and the appropriate application of risk analysis in the decision-making process.
[A new report shows that while more organizations are putting sensitive data in the cloud, few say the data is being encrypted: Making the Cloud Secure for Sensitive Data.]
Location, location, location
In the United States and abroad, we’ve increasingly seen the legislative zeitgeist move towards consumer protection and strengthening data-hosting and transfer protocols with such measures as the Gramm-Leach-Bliley Act and the Data Protection Directive 95/46/EC. With many of today’s corporations operating in multiple territorial jurisdictions, it remains imperative for banks to understand data security, transfer, and retention requirements at every touch point. However, examining the physical location of the data is only the first step. Here are some key criteria when considering the physical location of your data repository:
Relation of data sites to your corporate HQ. Even if a bank or financial institution is headquartered in one location and the data rests in another, if the organization has business interests in foreign jurisdictions, those governments may be able to gain access by virtue of the organization’s presence there. The 1986 Electronic Communications Privacy Act serves as a prime example of a US federal law that has been applied to access a corporation’s servers that were located overseas. While the server may be remote and in a distinct political entity different from the bank that manages it, the laws of the land where the company or organization is headquartered will govern them and will likely require access to information within their “custody.”
Status of mutual legal assistance treaties. Even data that doesn’t reside within a country’s borders and doesn’t transit through that country might still be accessible by that country’s law enforcement and intelligence services. Mutual legal assistance treaties (MLATs) are mechanisms by which one country’s agents may request the assistance of another country in obtaining information over which they don’t have direct physical or legal access. The US currently has an MLAT with 56 foreign governments and a Mutual Legal Assistance Agreement with the People’s Republic of China. The US Treasury Department’s Financial Crimes Enforcement Network also has its own Memorandum of Understanding or an exchange of letters in place with 47 sovereign entities (including Taiwan).
Transit paths of traveling data. It’s important to note that information flow through the Internet is not geographically bound and often moves over the least-congested path. This path may involve transmission through many countries. Any of these countries could claim jurisdiction over data as it passes through their local Internet service providers. Traffic flow can also be hijacked, and recent evidence has shown some major rerouting of strictly North American traffic through international locations. VPNs and other forms of proxy reassignments can further complicate sourcing data origination, and transfer points can lead to multi-jurisdictional claims over data ownership.
The nature or subject matter of your company’s data. The actual content of your data might render it subject to the jurisdiction of some government body, no matter the location. For instance, under Massachusetts state law 201 CMR 17.00, personal information about a resident of the Commonwealth is subject to the data breach notification law, regardless of the affected party’s ties to the Commonwealth or the actual location of the data.
More organizations are finding their international business customers are asking questions about where their data is going. While this has been true for a while with European organizations as a result of the Data Protection Directive’s restrictions on cross-border data flow, even organizations outside the European Union and United States are starting to pay more attention. They might be concerned about their data, their obligations under the laws of their country, or their customers’ risks and perceptions about treatment of sensitive information.
Many countries have laws that govern the general disclosure of information, allowing several exceptions for law enforcement. They also follow specific legislation that explains the burden of proof that government agencies or law enforcement must meet to gain access. Depending on jurisdiction, this can range from just a request for information to a warrant signed by an independent judiciary based on probable cause of a criminal act. The requirements may vary depending upon the nature of the information: live communications being most sensitive and requiring the highest burden, and relatively static information such as customer lists being the lowest.
Matthew Porzio is vice president of product marketing for Intralinks, a global leader in secure enterprise collaboration. He is responsible for driving the development and marketing of Intralinks' exchanges, including virtual dealroom/dataroom solutions for the M&A and ... View Full Bio