06:00 AM
Matthew Porzio
Matthew Porzio

Where in the World Should Banks Store Their Data?

Deciding where to house and how to move data involves understanding the relevant legal regimes and the application of risk analysis.

Four steps before making the move
Regardless of where you choose to locate your data warehouse, these are steps you should take:

1. Perform a full risk analysis. Any bank should explore the entire range of conceivable threats and their impacts. Where previously a government’s data monitoring and interception activities were deemed as “ordinary course of business” and generally left out of the risk analysis, it’s now an important consideration, given the scope and capabilities of such sophisticated jurisdictions as the United States and the People’s Republic of China. The legal environment must be considered and weighed against other threats and factors.

2. Validate assumptions. The Snowden revelations showed us that governments (both foreign and domestic) can also easily and without recourse, circumvent corporate data security measures, and that insider threats might be more damaging than outside threats. It’s important for banks to know the laws, understand how governments can act on those laws, and not be misled by popular accounts or rumors. The Snowden affair highlights the resolute necessity of corporations to maintain proper in-house Chinese walls, prevent data leakage, and retain complete ability to retrace and recall any information leaks.

3. Encrypt your data in transit and at rest. There have been cases of entire streams of Internet traffic being rerouted through other countries, possibly for government surveillance or fraudulent purposes; data-encryption in transit is a must. Further, when data is being stored, it should be secured with multi-factor encryption keys that do not rest with any single source.

4. Be transparent about law enforcement access. Nearly every set of privacy principles has some form of transparency principle (Fair Information Practice Principles, Data Protection Directive, Privacy by Design, Generally Accepted Privacy Principles). Some laws require providers not to notify their customers in certain cases. Beyond this, you should seek to be as transparent as possible. This not only puts your customers on notice for their own benefit, but might help limit law enforcement placing unnecessary burdens and requests on your business. Also in conjunction with law enforcement access is the necessity to have some federal requirement requiring public company disclosure of data breaches within a given timeframe. Currently, 46 states and the District of Columbia have disparate disclosure timelines. The United States Securities Exchange Commission (SEC) provides active guidance with regard to potential risk profiles that can require disclosure; but even as recently as March 26, 2014, an SEC panel on cyber security concluded that there was still much to be learned about what the SEC’s role should be in changing reporting requirements, according to Commissioner Aguilar. There is also a proposed bill on the floor of the US Senate, S. 1897 -- Personal Data Privacy and Security Act of 2014, which would codify notification requirements for serious data breaches.

Information is one of your most valuable assets, and infrastructure, defense protocol, and remediation policies should be in place against all possible incursions. If your particular organization isn’t sensitive to data access by law enforcement, your customers certainly will be.

Matthew Porzio, Vice President of Strategy and Product Marketing, joined Intralinks in August of 2003. He is responsible for overseeing the Strategic Transactions line of business driving the development and marketing of Intralinks' products including virtual ... View Full Bio

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
Charlie Babcock,
User Rank: Apprentice
7/18/2014 | 4:01:04 PM
Each country has its own rules....
Good advice from Matthew Porzio. Canada has a law that its citizen health care info can't be stored on U.S. servers due to inspections allowed by the Patriot Act. UK, Germany, France, Netherlands all have thier own "right to inspect" laws, I believe, for data on their soil. Data that originates in Germany, can't leave Germany. You need legal expertise to keep track....  
User Rank: Author
7/17/2014 | 9:51:39 AM
Re: Not all the challenges are tech-based
Yes, especially as the author points out, in instances when data is stored ina  different place than a corporate HQ. Navigating different laws/regulations in different jurisdictions can be an onerous process.
User Rank: Author
7/15/2014 | 1:34:09 PM
Not all the challenges are tech-based
This underscores the reality that when it comes to data management, storage, security and just about any kind of technology-based function, sometimes the biggest challenges are not about technology or IT -- sometimes the difficulty has more to do with legal and compliance issues, training, corporate structure, etc. Thanks for the thorough analysis, Matthew.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.