In light of recent headlines that have turned the spotlight on digital information storage and access rights—news stories that have touched on everything from security clearances to End User Licence Agreements (EULA) to regulatory compliance with the Patriot Act—I thought this would be great opportunity to give a quick overview of a related subject that’s near and dear to me: Corporate data sovereignty and how it’s affected by the cloud storage of enterprise information.
Data sovereignty, the concept that enterprise information is subject to the laws of the country where it physically resides—laws that may define who has access to (and even ownership of) that information—is a growing concern. With the rise of cloud deployments, this topic is one many organizations now need to focus on.
Multi-national customers I talk to are coming to grips with the fact that data they’ve stored in the cloud is subject to a myriad of privacy, security, and usage regulations that vary greatly depending on where the servers that house it are located(known as geo-location).
And, most importantly, they are beginning to realize there are repercussions inherent in not developing a comprehensive, well-thought-out Information Governance program that ranks the sensitivity of various types of corporate data and dictates how and where it’s stored.
Need proof? Let’s start with “how” the data is stored. In the oft-pursued path of least resistance, many organizations have opted to look the other way when it comes to employees using public file sharing services to manage, distribute, and collaborate on corporate information. In truth, there are many substantial concerns with this practice, but one of the most serious is right there in eye-opening black and white for anyone who reads the EULA of many of these providers.They state very clearly that the host has the right to access and use your information for a variety of reasons without notifying you. Here are a couple of prominent examples:
“When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use,host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.
Section 5, Paragraph 2: “Your Content in our Services”.
We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law,regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights.
Moreover,some providers go on to state that these usage rights remain in placeeven after you’ve removed said information from their service. Yes, it’snow permanently theirs to use for assorted purposes. Sound like you’vestill got ownership and control of your corporate information?
Can You Find Your Enterprise Information on a Map?
The“where” data is stored is equally disconcerting. Because of its very name, cloud storage has developed this connotation of great masses of data hovering nebulously in cyberspace. The reality is that all that data is stored on servers that are physically situated somewhere. And exactly where influences the legal position of that data.
It’s a detail organizations must know when it comes to each and every individual piece of enterprise information stored in the cloud. Almost every jurisdiction around the world has imposed, to varying degrees,data export controls, information security regulations, and electronic surveillance policies. And more information security policies are being developed every year. Organizations must be up to date on:
- Data examination and ownership statutes in the geographical territory where their data is generated and/or stored
- Regulations concerning data exchange across borders for every territory in which they have operations
- The applicable laws of the territories their data passes through when being transferred
Overlooking or ignoring any of the above jeopardizes regulatory compliance, eDiscovery conditions and possibly the ownership of your information.
To tie it all together, a well-informed information governance policy is not only aware of the regulations of relevant industries and territories but also how they mesh with your in-house IT architecture and the SLA’s of potential cloud storage providers. It’s worth the effort to perform your due diligence here. Developing a matrix that encapsulates all these details will provide clear direction on which geographical territories and cloud media should, and should not, play a role in your information storage.
Enterprise Information is Your Organization’s Most Valuable Asset
While there is great consideration given to the privacy of personal information in most countries through initiatives like the Safe Harbor framework,surprisingly little attention is devoted to the ownership and control of corporate data. My responses to those customers who ask always circles back to the same singular point:
Every company that operates in more than one country (or in some cases more than one province or region) should have crystal clear insight into the storage of their enterprise data as part of a comprehensive Information Governance program.
To flip a common cliché, there is a potential dark lining around that silver “cloud”. However, carefully considered attention to detail will ensure data sovereignty issues don’t derail the many positives of cloud storage.