Australian businesses need to be aware that US companies providing 'hard drive in the sky' storage, even if that infrastructure is based in-country, may be subject to foreign government data access laws and Acts. Australian cloud provider Ninefold warn that understanding who has legal access to company and personal private data is not as simple as checking a box and selecting the 'in-country' option.
Perhaps most worrying is that in some circumstances cloud providers who fall subject to a US request for information under the US Patriot Act may not even be allowed to tell their customers that their data was accessed.
“Many businesses have assumed that a local data centre, even if owned by an offshore provider, is enough to avoid data sovereignty issues,” said Peter James, Managing Director at Ninefold. “However, data stored in an Australian data centre owned by a provider headquartered in the US would face the same exposure to the US Patriot Act – and wider US law - as if it were stored in California.”
The USA Patriot Act was signed into law in the US in October 2001. The name of the Act is in fact a clever one; USA PATRIOT stands for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism'. While a shorter name with a broader focus may have resulted in an acronym more difficult to remember, the focus of the Act is clear - the focus is on terrorism.
So should Australian companies be worried about the US government accessing their data under terrorism laws? In reality it's not just the US government.
Australian data access laws, not dissimilar to the US Patriot Act, apply when it comes to organistions with demonstratable links to terrorist organisations. While the Privacy Act protects financial information and compliance laws are constructed to protect data at rest, the Australian Federal Police and other Government organisations may issue a search warrant to seize data, control of infrastructure or confiscate goods (computers, mobile phones, storage, etc) which may be connected to a crime. This may even include 'tapping' and transparently proxying connectivity between users, organisations and the wider Internet.
Certainly issues arise where US law and other local jurisdictions coincide, debate rages over which law should have precedence.
This has prompted comment from members of the European Parliament in recent times, as the European Union's Data Protection Directive requires organisations to inform users when they disclose personal information, unlike data accessed under the US Patriot Act.
A caution does need to be made; in some cases the ability to monitor a filesystem without alerting the owners of that filesystem is the difference between establishing a case for prosecution and potentially warning the terrorist the police are onto them. The police and government agencies combating terrorism (and cyber crime) need certain powers to be able to do their job.
Mark Vincent, Partner at Shelton IP Lawyers, specialises in advising on cloud and data jurisdictional issues. “It’s no surprise that a subsidiary of a US company can be required to comply with US laws. That aspect of jurisdiction is pretty well known and there are a lot of laws that apply to US companies as they do business all around the world.”
Ninefold's Peter James holds the view that data held in-country is safest, but points out that a risk assessment is the first step to understanding your risk.
“Take a risk assessment of your data. Once you’ve identified your high risk and low risk data, you can apply different criteria to each when planning your data storage strategy. Legal and regulatory considerations are of paramount importance for high risk data, but the other criteria of price, latency, reliability and service may be more important to you when dealing with low risk data. A risk management strategy can help you minimise the risk not only now, but in the future as laws continue to shift.”
Amazon Web Services, vocal in the area of data sovereignty, claim that regardless of where you store your data you should take the necessary steps to encrypt and protect that data. Speaking recently in Sydney to a room of AWS partners and customers, CTO Werner Vogels explained that organisations should encrypt private data for transit to the Cloud — and to employ best practice when it comes to classifying data held in the cloud. Talking to a group of IT professionals after his presentation, Vogels suggested that it's not necessary to encrypt everything due to the overheads involved.
Great advice when it's just disk space in the cloud, but what about the data held by an application hosted as a service?
When using cloud based email filtering products such as Cisco's IronPort Cloud Email Security, what guarantees do you have that any data stored in cloud based quarantines is encrypted or protected? Is the customer data stored in a cloud based CRM system, or the documents inside a cloud based word processing, visible to the administrators of those services? Is that data encrypted at rest?
What happens to the backups? Where are the logs kept? And if you migrate away from a particular service can the provider guarantee that ALL your data has been removed from their environment?
Ninefold has released a number of resources on its website (http://ninefold.com/data-jurisdiction/) designed to help businesses understand the issues, assess the risks and design an appropriate data strategy. Most companies start with the classification of data, and the assessment of the economic and legal risks involved.
One thing is certain, it's not just about whether the datacentre you're using is located in your nearest capital city, or whether the company you've engaged to manage your cloud storage is headquartered in the USA. It's about the data.