John Landy is chief security officer at Intralinks, a secure enterprise collaboration and file-sharing provider. Prior to joining Intralinks, John was chief architect at JPMorgan Invest, the online brokerage subsidiary of JPMorgan Chase.
Deciding where to house corporate data requires an understanding of the relevant laws across countries, as well as a thorough risk analysis. Organizations might have legal or ethical obligations to protect data in one jurisdiction, while also facing legal requirements to turn that information over in another. In addition, the move to cloud-based data storage and processing has only added to jurisdictional concerns.
There are four important factors organizations should review when selecting the physical location of their data repositories:
1. Your data’s subject matter. The actual content of your data might render it subject to the jurisdiction of some government body, no matter the location. For instance, under Massachusetts state law, personal information about residents of the Commonwealth is subject to the data breach notification law, regardless of the holder of that information’s ties to the state or the actual location of the data.
2. Your target location’s mutual legal assistance treaties (MLAT). These are binding agreements between countries by which one country’s agents can request the assistance of another country to obtain information over which they don’t have direct physical or legal access.
3. Transit patterns of traveling data. Information flow through the Internet often involves transmission through many countries, traveling the path of least congestion. Any of these countries through which your data passes can claim jurisdiction – including countries where your traffic path may have been hijacked through hackers.
4. Relation of data to your corporate headquarters. Governments where your company may have related interests may be able to gain access to data stored elsewhere. The laws where the company or organization is headquartered may require access to information within their “custody.”
Once these four criteria have been used to evaluate potential locations, organizations should explore the entire range of conceivable threats through a risk analysis. A government’s data monitoring/interception jurisdiction is an important consideration. The legal environment must be considered and weighed against other threats and factors.
To begin this process, it’s important for organizations to know the laws, understand how governments can act on those laws, and not be misled by popular accounts or rumors. Further, data encryption in transit, regardless of location, is a must. Additionally, when data is being stored, it should be secured, with multi-factor encryption keys owned and controlled by the company that do no rest within any single source.
Choosing where to locate your data shouldn’t be done in a vacuum. Cloud computing and remote storage can relieve many organizations of the technological burdens of understanding the mechanics that fall under the cloud, but this doesn’t relieve businesses from the burden of understanding the laws of the nations where these clouds operate.
Global Locations: Who Makes the Grade?
Below is a ranking of countries and regions based on their current MLAT status and legal protection stance on corporate data in transit and at rest. While a full breakdown of the data protection laws for every nation on earth would require volumes, this is a brief, selective overview. Many countries have laws that govern the general disclosure of information with enumerated exceptions for law enforcement.
These nations receive a grade of “A” for their strong laws for intelligence and law enforcement activity, and strong data protection enforcement:
The below countries are solid “B” grade earners. Their governance laws weigh more heavily on the side of intelligence and law enforcement activity, but do offer some data protection enforcement.
- The United States
- The European Union (EU)
The “C” students have minimal rules for intelligence and law enforcement activity, as well as limited data protection enforcement:
- South Africa
The following countries rate either a “D” or an “F” due to their negligible rules for intelligence and law enforcement activity, and non-existent data protection enforcement:
- Saudi Arabia
- Hong Kong
It’s important to note, however, that the United States is situated in a unique power position relative to other nations in terms of raw access to data. A majority of the world’s telecommunications traffic runs through switches and servers located in or controlled by U.S. interests. This explains why U.S. companies receive special treatment when dealing with European Union citizen data, for example.
While a strong rule- of-law jurisdiction, lack of clarity of extrajudicial processes for collection of data has muddied the waters. Meanwhile, Germany’s Anti-Terrorism Law provides its security architecture direct access to personal data. Consider this: under federal court order, authorities in Germany can legally release a “Federal Trojan” in order to infiltrate computer systems and obtain information without notifying the system owner.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.