Data residency in a borderless environment
International use of personal data emphasises the differing laws that need to be adhered to, but there are solutions explains Alan Kessler.
Of cryptography and conspiracy stories
With more than 99 countries having data privacy laws in place as of mid-2013 (and a further 21 countries with bills pending), there are wide global variations in requirements for protecting and storing personal data. Regulations range from very strict to more flexible, depending on the country. Multinational companies must understand the numerous challenges posed by the current data residency landscape. To give you an idea of the technological and legal minefields that global companies face, there are some events in Europe that provide a perspective on just how complex the current situation is.
In December 2013, for example, Spain's Data Protection Agency fined Google US$1.2 million (£700,000) for breaking its data protection laws. The DPA cited Google for collecting information about its users in Spain and sharing that data across its services without properly informing those users about the collection practices.
In Germany, in October 2013, courts took a more business-friendly approach toward business liabilities for data protection violations. The Schleswig-Holstein Administrative Court ruled “companies using Facebook's fan pages can't be held responsible for data protection law violations committed by the social networking site because the companies couldn't control the use of the data.” The ruling overturned an August 2011 order from the Schleswig-Holstein's Data Protection Authority (ULD), which stated companies and public entities using web analytics to measure usage patterns are responsible for enforcing data protection compliance. At the time, the ULD also absolved Facebook of its responsibility to protect data due to the company not maintaining a physical office in Germany.
Interestingly, only last month, Russian lawmakers introduced a bill that would require foreign internet companies to store personal information about their Russian users on computer servers physically inside the country. Some may say this is a sign of things to come, but it appears to be already in motion. Take for example how, in June 2014, Microsoft filed through the US courts a challenge to federal prosecutors' `right' to demand access to its data stored in an Irish data centre.
As we can see, the legal landscape is inconsistent and complex – a single company will likely need to treat data differently in different jurisdictions. How data residency applies to the cloud is making the situation even more difficult to grapple with. With no internationally agreed laws around data sovereignty, enterprises seeking to utilise the cloud are often left asking many questions – whose laws apply? Is it the laws of the country in which the cloud customer is based, or where the data originated?
That said, it is possible to remain compliant with data residency laws and ensure data is protected. The best way to make this happen is to ensure all data is not accessible to those outside of their home legal jurisdiction (except when explicit consent is given on a per usage basis). Encrypting data and limiting access to only users within a given jurisdiction is one solution.
Tokenisation – the process of replacing sensitive data with unique identification symbols that acts as a proxy for the original information – is an increasingly popular tactic. Original data is kept in a master database that can be hardened, encrypted and used to keep track of which token matches which original piece of data. This approach minimises the amount of sensitive data a business needs to keep and typically is applied to a single field or column (eg credit card numbers and social security numbers). Equally, with tokenisation, enterprises using public cloud solutions do not need to worry about where the CSPs data centre is located, since the actual data never leaves their in-country data centre where the tokenisation process occurs.
While the myriad of laws governing data residency indicate businesses have their work cut out for them, it's more straightforward than you think. Security executives must take the time to do their due diligence in researching and understanding data residency and assess the encryption solutions that best fit their needs.
Contributed by Alan Kessler, CEO, Vormetric