Four steps before making the move
Regardless of where you choose to locate your data warehouse, these are steps you should take:
1. Perform a full risk analysis. Any bank should explore the entire range of conceivable threats and their impacts. Where previously a government’s data monitoring and interception activities were deemed as “ordinary course of business” and generally left out of the risk analysis, it’s now an important consideration, given the scope and capabilities of such sophisticated jurisdictions as the United States and the People’s Republic of China. The legal environment must be considered and weighed against other threats and factors.
2. Validate assumptions. The Snowden revelations showed us that governments (both foreign and domestic) can also easily and without recourse, circumvent corporate data security measures, and that insider threats might be more damaging than outside threats. It’s important for banks to know the laws, understand how governments can act on those laws, and not be misled by popular accounts or rumors. The Snowden affair highlights the resolute necessity of corporations to maintain proper in-house Chinese walls, prevent data leakage, and retain complete ability to retrace and recall any information leaks.
3. Encrypt your data in transit and at rest. There have been cases of entire streams of Internet traffic being rerouted through other countries, possibly for government surveillance or fraudulent purposes; data-encryption in transit is a must. Further, when data is being stored, it should be secured with multi-factor encryption keys that do not rest with any single source.
4. Be transparent about law enforcement access. Nearly every set of privacy principles has some form of transparency principle (Fair Information Practice Principles, Data Protection Directive, Privacy by Design, Generally Accepted Privacy Principles). Some laws require providers not to notify their customers in certain cases. Beyond this, you should seek to be as transparent as possible. This not only puts your customers on notice for their own benefit, but might help limit law enforcement placing unnecessary burdens and requests on your business. Also in conjunction with law enforcement access is the necessity to have some federal requirement requiring public company disclosure of data breaches within a given timeframe. Currently, 46 states and the District of Columbia have disparate disclosure timelines. The United States Securities Exchange Commission (SEC) provides active guidance with regard to potential risk profiles that can require disclosure; but even as recently as March 26, 2014, an SEC panel on cyber security concluded that there was still much to be learned about what the SEC’s role should be in changing reporting requirements, according to Commissioner Aguilar. There is also a proposed bill on the floor of the US Senate, S. 1897 -- Personal Data Privacy and Security Act of 2014, which would codify notification requirements for serious data breaches.
Information is one of your most valuable assets, and infrastructure, defense protocol, and remediation policies should be in place against all possible incursions. If your particular organization isn’t sensitive to data access by law enforcement, your customers certainly will be.
Matthew Porzio is vice president of product marketing for Intralinks, a global leader in secure enterprise collaboration. He is responsible for driving the development and marketing of Intralinks' exchanges, including virtual dealroom/dataroom solutions for the M&A and ... View Full Bio