Unfortunately, the laws and regulations protecting digital information can be extremely complex. They are dependent on different governments and jurisdictions, and data stored in certain countries may or may not be subject to subpoena by another country’s government (or even the host country’s government).
As an IT professional, you’re likely responsible for ensuring that your company’s data is fully protected. However, you need to provide your business’s owner with the basics to enable him or her to make the best decisions for the company — and the valuable data it possesses. For those who don’t work with technology all day, however, the variables can be overwhelming.
To give your CEO or company’s owner the most essential information, you need to:
1. Understand the laws and regulations associated with data protection. In certain jurisdictions, governments can seize data otherwise protected in other jurisdictions. For example, America’s Patriot Act led some cloud users to avoid data centers on U.S. soil for fear that law enforcement could attempt to intercept their communications.
In some countries, data sovereignty extends beyond the host jurisdiction. Some data centers outside the U.S. may fall under the Patriot Act’s purview if the cloud provider is owned by a U.S. company. For instance, in 2014, U.S. Magistrate Judge James Francis ordered Microsoft to release information from its Dublin data center.
The same issues may be true for U.K.-owned cloud providers, due to the Regulation of Investigatory Powers Act. However, many analysts believe these concerns are inflated.
2. Host data outside of the United States. Using cloud providers outside the U.S. is especially important for non-U.S. companies — particularly those in highly regulated industries such as law or finance. When your information isn’t secure, you risk losing business and damaging your reputation.
But even if data is stored locally, it’s potentially vulnerable to surveillance by the U.S. government under Judge Francis’ ruling. Choosing a non-U.S. cloud provider is the only way for non-U.S. cloud users to guarantee that their data remains private and secure.
3. Opt for private cloud services. When using certain public cloud-based services, you have no control over where the company stores data. Plus, these companies may be providing the U.S. government with simplified access to data upon request, regardless of the host location.
When it comes to your company’s data, information is power. It’s up to you to protect your customers’ interests by knowing everything you can about your cloud provider — and it’s up to you to educate your CEO so you can jointly make the best decisions for the people who trust you with their data.
If you’re not sure where a provider houses its data, you must do your own research and investigate the host country’s data protection laws. It’s the only way to protect your company’s reputation and ensure that your customers’ information remains private.
Correction and editor’s note, 11/17/2014 2:59PM: An earlier version of this article incorrectly stated that when using Amazon Web Services, “you have no control over where the company stores data. Plus, these companies may be providing the U.S. government with simplified access to data upon request, regardless of the host location.” This information was inaccurate and we regret the error. For information on AWS security measures, please visit http://aws.amazon.com/security/.