A STORM IN THE CLOUD – DATA SECURITY AND INTERNATIONAL LAW
By Torgny Gunnarsson, CEO, Imprima
A number of recent events have sparked worldwide debate about companies’ data security. Some of these events will be familiar to many, but others have drawn surprisingly little coverage in the media, considering their far-reaching consequences.
One of the recent data issues with the widest coverage was the Heartbleed bug. The bug leveraged vulnerability in OpenSSL code to enable the hacking of personal information. The flaw reportedly has the potential to affect two thirds of all websites, and major tech companies have created a fund to go towards the development of safeguards against the Heartbleed bug. Part of the widespread concern is that the extent of the damage this has caused remains unclear. Yet like the development of any new technology – and we must remember that mass use of the internet is still very much in its infancy, technically speaking – there will be errors, they will be fixed, and the industry will move forward and be stronger for it. In the tech industry this is especially true, as the worldwide adoption of the internet means there’s a huge amount at stake if mistakes are made.
Of more concern to the financial sector, and garnering far less worldwide coverage, is Microsoft’s announcement that they’re looking to leverage their compliance with the EU’s stringent data protection law to draw in new business. The significance of this is owed to one simple fact about data security – it matters where companies store their data. Even the cloud is tethered somewhere on earth. Many companies have data and files which are stored on cloud-service providers’ servers potentially thousands of miles away. Where that data is physically stored directly impacts the security and integrity of that data. Data stored in the EU benefits from the protection of the Data Protection Directive, arguably the most stringent data protection legislation in the world. Outside that area, the ability of governments to access private company information, and the lack of wider, codified legislation to protect confidential data means that, in principle, company or private data can be far less secure. Indeed, the EU itself offers a very small list indeed of countries outside its borders which offer what it considers to be ‘adequate’ data protection .
Of most concern – and there’s been surprisingly little press coverage given its enormous implications – is the news that under a US search warrant, the US Government can force tech companies to hand over foreign cloud data and email data. The legality of this judicial announcement is highly questionable, as it jars with existing EU legislation protecting such data. Indeed, it seems Microsoft have refused to comply with the order to hand over the Dublin-based data owing to this overreach in jurisdiction. Nonetheless, it represents a growing tension between the US and the EU in the relationship between privacy and security. In the US, concerns over terrorism and national security engender an attitude to data protection that is akin to if the government needs our private data to keep us safe, then so be it. In the EU, the prevalent attitude is that there needs to be overwhelming proof of an imminent threat if confidential data is to be handed over to governments. The stage is set for an interesting legal tussle. Yet that isn’t much use for financial companies wondering what they need to be doing now to protect their data.
One of the predominant issues flagged up by these data breaches is that companies are best off using cloud-services which house user data securely in the EU, owing to the comprehensive security of the European Data Protection Directive. Opting for service providers who store data outside the EU is comparatively questionable, given the more tangible protection on offer within the EU. After all, people who are truly concerned about break-ins don’t leave their key under the mat. Company data privacy is too important to take shortcuts.
Of course, it’s all very well ensuring that company data is stored in the safest place, but it’s also crucial – particularly for those in the financial sector – to ensure that such sensitive data is stored with the safest people. Choosing which cloud service providers to work with can be difficult, but given that companies are partly handing over custody of important data, it’s vital to choose well. At Imprima, for example, we’ve realised the importance of ensuring that we are accredited to the highest levels of security achievable. Our security-minded customers expect nothing less. That’s why we are so pleased to have been awarded the ISO:27001 accreditation, in recognition of the high security standards of our data centres, the platform, our processes and our staff.
Indeed, many companies overlook the human risk when it comes to their data security. There have been many instances of deliberate and non-deliberate data leaking from internal sources. Often this is incidental, perhaps through an employee wanting to do some extra work, taking some files home on a USB drive, and working on an unsecure network. This is often down to a lack of staff training about a company’s data security policy. Companies must demand the highest levels of software security and staff training, both internally and from the cloud service providers they employ, in order to keep their private data private. A recent investigation found that some large institutions aren’t even taking the basic steps of ensuring their employees’ computer screens can’t be seen from the street. It’s important for companies to remember that offline threats linger, despite the move to the cloud.
You don’t have to be a conspiracy theorist, or a Snowden-devotee, to realise that data security is a serious business. While international law governing data privacy is still in its infancy, it’s vital that companies are doing all they can to protect themselves from the unwanted or unauthorised access of company data.