In light of recent headlines that have turned the spotlight on digital information storage andaccess rights—news stories that have touched on everything from securityclearances to End User Licence Agreements (EULA) to regulatorycompliance with the Patriot Act—I thought this would be greatopportunity to give a quick overview of a related subject that’s nearand dear to me: Corporate data sovereignty and how it’s affected by the cloud storage of enterprise information.
Datasovereignty, the concept that enterprise information is subject to thelaws of the country where it physically resides—laws that may define whohas access to (and even ownership of) that information—is a growingconcern. With the rise of cloud deployments, this topic is one manyorganizations now need to focus on. Multi-national customers I talk toare coming to grips with the fact that data they’ve stored in the cloudis subject to a myriad of privacy, security, and usage regulations thatvary greatly depending on where the servers that house it are located(known as geo-location). And, most importantly, they are beginning torealize there are repercussions inherent in not developing acomprehensive, well-thought-out Information Governance program that ranks the sensitivity of various types of corporate data and dictates how and where it’s stored.
Needproof? Let’s start with “how” the data is stored. In the oft-pursuedpath of least resistance, many organizations have opted to look theother way when it comes to employees using public file sharing servicesto manage, distribute, and collaborate on corporate information. Intruth, there are many substantial concerns with this practice, but oneof the most serious is right there in eye-opening black and white foranyone who reads the EULA of many of these providers.They state very clearly that the host has the right to access and useyour information for a variety of reasons without notifying you. Hereare a couple of prominent examples:
When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use,host, store, reproduce, modify, create derivative works (such as thoseresulting from translations, adaptations or other changes we make sothat your content works better with our Services), communicate, publish,publicly perform, publicly display and distribute such content.
Section 5, Paragraph 2: “Your Content in our Services”. http://www.google.com/intl/en/policies/terms/
We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faithbelief that disclosure is reasonably necessary to (a) comply with a law,regulation or compulsory legal request; (b) protect the safety of anyperson from death or serious bodily injury; (c) prevent fraud or abuseof Dropbox or its users; or (d) to protect Dropbox’s property rights.
Moreover,some providers go on to state that these usage rights remain in placeeven after you’ve removed said information from their service. Yes, it’snow permanently theirs to use for assorted purposes. Sound like you’vestill got ownership and control of your corporate information?
Can You Find Your Enterprise Information on a Map?
The“where” data is stored is equally disconcerting. Because of its veryname, cloud storage has developed this connotation of great masses ofdata hovering nebulously in cyberspace. The reality is that all thatdata is stored on servers that are physically situated somewhere. Andexactly where influences the legal position of that data.
It’sa detail organizations must know when it comes to each and everyindividual piece of enterprise information stored in the cloud. Almostevery jurisdiction around the world has imposed, to varying degrees,data export controls, information security regulations, and electronicsurveillance policies. And more information security policies are being developed every year. Organizations must be up to date on:
- Data examination and ownership statutes in the geographical territory where their data is generated and/or stored
- Regulations concerning data exchange across borders for every territory in which they have operations
- The applicable laws of the territories their data passes through when being transferred
Overlooking or ignoring any of the above jeopardizes regulatory compliance, eDiscovery conditions and possibly the ownership of your information.
Totie it all together, a well-informed information governance policy isnot only aware of the regulations of relevant industries and territoriesbut also how they mesh with your in-house IT architecture and the SLA’sof potential cloud storage providers. It’s worth the effort to performyour due diligence here. Developing a matrix that encapsulates all thesedetails will provide clear direction on which geographical territoriesand cloud media should, and should not, play a role in your informationstorage.
Enterprise Information is Your Organization’s Most Valuable Asset
While there is great consideration given to the privacy of personal information in most countries through initiatives like the Safe Harbor framework,surprisingly little attention is devoted to the ownership and controlof corporate data. My responses to those customers who ask alwayscircles back to the same singular point:
Every company that operates in more than one country
(or in some cases more than one province or region) should have
crystal clear insight into the storage of their enterprise data
as part of a comprehensive Information Governance program.
To flip a common cliché, there is a potential dark lining around that silver “cloud”. However, carefully considered attention to detail will ensure data sovereignty issues don’t derail the many positives of cloud storage.