06:00 AM
Matthew Porzio
Matthew Porzio

Where in the World Should Banks Store Their Data?

Deciding where to house and how to move data involves understanding the relevant legal regimes and the application of risk analysis.

In the wake of Edward Snowden’s revelations about surveillance tactics employed by the NSA, there are increasing concerns about corporate data privacy, and especially about where to house corporate and customer data. The prevalence of cloud computing and cloud-based storage and collaboration services is only exacerbating these concerns. While public pushback and grass-roots reform campaigns are evolving in the US and abroad, the reality remains that banks and financial institutions must operate within jurisdictional parameters. Deciding where to house and how to move your data is an exercise in both understanding the relevant legal regimes and the appropriate application of risk analysis in the decision-making process.

[A new report shows that while more organizations are putting sensitive data in the cloud, few say the data is being encrypted: Making the Cloud Secure for Sensitive Data.]

Location, location, location
In the United States and abroad, we’ve increasingly seen the legislative zeitgeist move towards consumer protection and strengthening data-hosting and transfer protocols with such measures as the Gramm-Leach-Bliley Act and the Data Protection Directive 95/46/EC. With many of today’s corporations operating in multiple territorial jurisdictions, it remains imperative for banks to understand data security, transfer, and retention requirements at every touch point. However, examining the physical location of the data is only the first step. Here are some key criteria when considering the physical location of your data repository:

Relation of data sites to your corporate HQ. Even if a bank or financial institution is headquartered in one location and the data rests in another, if the organization has business interests in foreign jurisdictions, those governments may be able to gain access by virtue of the organization’s presence there. The 1986 Electronic Communications Privacy Act serves as a prime example of a US federal law that has been applied to access a corporation’s servers that were located overseas. While the server may be remote and in a distinct political entity different from the bank that manages it, the laws of the land where the company or organization is headquartered will govern them and will likely require access to information within their “custody.”

Status of mutual legal assistance treaties. Even data that doesn’t reside within a country’s borders and doesn’t transit through that country might still be accessible by that country’s law enforcement and intelligence services. Mutual legal assistance treaties (MLATs) are mechanisms by which one country’s agents may request the assistance of another country in obtaining information over which they don’t have direct physical or legal access. The US currently has an MLAT with 56 foreign governments and a Mutual Legal Assistance Agreement with the People’s Republic of China. The US Treasury Department’s Financial Crimes Enforcement Network also has its own Memorandum of Understanding or an exchange of letters in place with 47 sovereign entities (including Taiwan).

Transit paths of traveling data. It’s important to note that information flow through the Internet is not geographically bound and often moves over the least-congested path. This path may involve transmission through many countries. Any of these countries could claim jurisdiction over data as it passes through their local Internet service providers. Traffic flow can also be hijacked, and recent evidence has shown some major rerouting of strictly North American traffic through international locations. VPNs and other forms of proxy reassignments can further complicate sourcing data origination, and transfer points can lead to multi-jurisdictional claims over data ownership.

The nature or subject matter of your company’s data. The actual content of your data might render it subject to the jurisdiction of some government body, no matter the location. For instance, under Massachusetts state law 201 CMR 17.00, personal information about a resident of the Commonwealth is subject to the data breach notification law, regardless of the affected party’s ties to the Commonwealth or the actual location of the data.

More organizations are finding their international business customers are asking questions about where their data is going. While this has been true for a while with European organizations as a result of the Data Protection Directive’s restrictions on cross-border data flow, even organizations outside the European Union  and United States are starting to pay more attention. They might be concerned about their data, their obligations under the laws of their country, or their customers’ risks and perceptions about treatment of sensitive information.

Many countries have laws that govern the general disclosure of information, allowing several exceptions for law enforcement. They also follow specific legislation that explains the burden of proof that government agencies or law enforcement must meet to gain access. Depending on jurisdiction, this can range from just a request for information to a warrant signed by an independent judiciary based on probable cause of a criminal act. The requirements may vary depending upon the nature of the information: live communications being most sensitive and requiring the highest burden, and relatively static information such as customer lists being the lowest.

Matthew Porzio, Vice President of Strategy and Product Marketing, joined Intralinks in August of 2003. He is responsible for overseeing the Strategic Transactions line of business driving the development and marketing of Intralinks' products including virtual ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
Charlie Babcock,
User Rank: Apprentice
7/18/2014 | 4:01:04 PM
Each country has its own rules....
Good advice from Matthew Porzio. Canada has a law that its citizen health care info can't be stored on U.S. servers due to inspections allowed by the Patriot Act. UK, Germany, France, Netherlands all have thier own "right to inspect" laws, I believe, for data on their soil. Data that originates in Germany, can't leave Germany. You need legal expertise to keep track....  
User Rank: Author
7/17/2014 | 9:51:39 AM
Re: Not all the challenges are tech-based
Yes, especially as the author points out, in instances when data is stored ina  different place than a corporate HQ. Navigating different laws/regulations in different jurisdictions can be an onerous process.
User Rank: Author
7/15/2014 | 1:34:09 PM
Not all the challenges are tech-based
This underscores the reality that when it comes to data management, storage, security and just about any kind of technology-based function, sometimes the biggest challenges are not about technology or IT -- sometimes the difficulty has more to do with legal and compliance issues, training, corporate structure, etc. Thanks for the thorough analysis, Matthew.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.