Knowing the Whereabouts of your Corporate Data

In an earlier article for the IFC Review, ‘Is Privacy the Major Casualty of the Information Age?’ January 2011, I discussed the challenges that financial services businesses face in maintaining the privacy of client and corporate data from the threats of technology developments. In this article I look at the broader implications of storing corporate data with third parties which have resulted from the growing ‘cloud’ trend and ask the question – how does this change the risk of data breach? Whose responsibility is it to ensure data integrity the CIO, CTO or CEO?

The advent of cloud computing is changing the delivery of information and communications services from a self-provisioned (in-house) model to a utility one.   The disruptive effects that this is likely to have on business will be similar to those caused by the Internet 15 years ago as companies that are swift to adopt innovative technologies can completely change the costs or functionality (or both) of their services – to their competitive advantage. In this case, in order to benefit from the utility model, whereby IT functions become commoditised, data has to be entrusted to storage under the control of the utility service provider for safekeeping.

So, as well as the compelling economic forces that are driving this trend there are significant changes in the way that businesses need to approach the management of confidential data and new risks have emerged as a result. These risks, once the domain of the CIO and the compliance department, as IT was an operations issue, now need to be embraced by the CEO, as IT evolves into the platform that underpins all of the businesses services.

Developments such as cloud computing services offer compelling economic advantages and remove many of the complexities of traditional information technology. However, as with many other things that offer a better life there are catches, and in this case they can be summarised as security and supplier credibility.

There is no question that the ongoing simplification and commoditisation of information technologies means that businesses will continue to outsource the management of data storage and processing to an ‘on demand’ model through external service providers. The risk in doing so is that confidential information appears to be no longer under the direct control of the owner.

Typically this perceived security risk falls into three broad categories: people and processes; the credentials and integrity of the external service provider; and geography.

The first I dealt with at length in the previous article, the second is an important aspect but supplier validation is well understood (and many suppliers now publish their security practices) but the last one, geography, is often overlooked.

The geographical location of corporate data is of vital importance as it will almost certainly be deemed the legal jurisdiction that governs the data. All highly regulated businesses, such as those in financial services, will have a greater governance and compliance obligation and will therefore need to be sure they know exactly where their data resides.

The data explosion shows absolutely no sign of slowing down soon and so the difficulties of managing it, backing it up and making it permanently available to the stakeholders of the business needing to access it from many different places is a growing problem for most organisations. The situation is exacerbated with a growing number of different access devices like laptops, tablets and smart phones used today.

This brings us to the geography. Geographic issues aren’t just around ensuring compliance with appropriate data protection legislation, other risks to consider include, for example, what interception and seizure legislation exists in the country of the data hoster?

In the US and the UK the Patriot Act and the Regulations of Investigatory Powers respectively confer immense powers to the law enforcement agencies and other government departments. Data loss or disclosure could be the result of an unrelated investigation or seizure where an element of the service provider’s equipment has been isolated or switched off; a sort of collateral damage. In situations like this the service provider (irrespective of its contractual obligations) is often legally bound not to divulge any information relating to this activity to its customers. The old adage “you have nothing to fear if you have nothing to hide” is inadequate these days. Consider how the UK HMRC managed to lose 25 million child benefit records. The subsequent investigation, on behalf of the UK Information Commissioner’s Office, described the loss as “entirely avoidable” and was a result of “serious institutional deficiencies”. The lesson being that government isn’t necessarily the safest custodian of sensitive information.

In general terms it is more prudent that cloud-stored data is in the same jurisdiction as the business to ensure that there are no unexpected legal, regulatory or tax consequences. However, this isn’t as easy as it sounds for businesses that are based outside of the US where the big cloud services are currently concentrated. The bigger cloud service providers are catching on to the jurisdictional sensitivity of corporate customers, particularly those involved in financial services, and are now offering services based in the UK and Europe. For businesses elsewhere and especially those in the smaller island based financial centres it is imperative to find cloud services providers that are themselves based in legally compatible or ‘data neutral’ jurisdictions.

Data in the hands of a capable third party should be as safe as it is on the business’ premises, but the difficulty today is properly assessing service provider ‘capabi

Chris Evans
Chris Evans is the CEO of Foreshore, a Channel Islands based Internet services company that provides secure hosting, email and data storage solutions to financial services companies worldwide.