By Minda Zetlin
Where does data "live?"
For executives responsible for managing data across international borders, the answer to this question can dictate what data they are allowed to collect, how that data can be used, and whether it must be shared with government or legal officials. While transferring data from one country to another presents definite technological obstacles, the biggest challenges -- and the biggest risks -- have to do with the legal status of that data as it crosses international borders. Organizations that fail to properly prepare for these issues can lose legal protection for their data, have use of the data restricted, or even face fines and other legal sanctions.
But determining which jurisdiction data is located in can be a challenge all by itself.
"Let's say there's a Web site in Germany, and a user is connecting from France, but through a virtual private network (VPN) in the United States. What's the data's exact location?" asks Johannes Ullrich, chief research officer at the SANS Institute, an information security training educational and research organization. The safest course is to make sure data is handled in accordance with local laws in all the countries it passes through.
Know the issues
How does data protection change from one jurisdiction to another? There are several different areas where crossing an international border can really make a difference:
- Government surveillance "Let's say an executive traveling from New York to London goes through customs at Heathrow Airport," says Mark Rasch, managing director at FTI Consulting, Inc. "If customs officers want to inspect -- or even copy -- the files in the laptop, under both U.S. and international law, they have the right to do so." In the same way, he says, driving across the border between the U.S. and Canada makes it legal for the authorities to search a car, although they would need probable cause to do so within the United States. "There is no doubt that data traveling internationally has much less legal protection from government surveillance than data that resides in one country," he says.
- Use of personal information An American company that collects information about its customers in Europe may be breaking the law if it transfers that data back to the United States. "Moving data from a country with a strong privacy regime to a weaker privacy regime may violate the law in the country where the data was collected -- and the U.S. has a weak privacy regime," Rasch explains.
In many European countries, privacy directives require any party collecting data about a citizen to notify that citizen as to why the data was collected and how it will be used, and also to keep that data secure. Because these nations have no way to enforce these laws in the United States, many have simply made it illegal to export the data at all. One possible solution is the contractual agreements some non-EU companies are making with local EU governments to treat the data they've collected in accordance with their privacy laws no matter where it is.
- Employee rights Many U.S. companies routinely perform background checks and drug tests before hiring employees, especially those who'll be working with sensitive data. They may also use keystroke trackers or other tools to monitor what employees do while on the job. But these practices might be illegal in countries with strong privacy protections for their citizens.
- Encryption For years, U.S. laws against exporting encryption made it illegal to carry or send encrypted data abroad. This issue has largely been resolved by regulations that allow the provider of off-the-shelf encryption to submit it to the U.S. Commerce Department for a one-time review and licensing, usually before a product is sold. However, a company with non-standard or customized encryption may need to submit that technology to the Commerce Department for review before taking it abroad. In addition, some countries, including France, place restrictions on the import of encryption technology.
- Legal discovery The location and management of data can have huge consequences if the data is ever deemed useful as part of a legal proceeding. For instance, Rasch notes, a U.S. subsidiary of a foreign company that brings the parent company's data into the U.S. may have made that data subject to discovery motions where it otherwise would have been protected. (A U.S. company's data is likely to be discoverable no matter where it is, he adds.)
Staying out of trouble
The message is clear: international laws pose a variety of dangers when it comes to managing data. How can a company with an overseas data center avoid these pitfalls? Here are some best practices that can help:
1. Get local counsel "One problem is that, even within a group like the European Union, every country has its own set of regulations," Ullrich says. "So what most smart companies do is get a legal opinion from each of the countries involved, and get a local attorney to sign off on all their procedures before putting them in place."
2. Consider both laws and enforcement Ask not only what laws are on the books, but whether and how those laws are being enforced. "If a country sees better economic benefit from not enforcing a law, they may not enforce it -- which is what's happening with copyright protections and trade secrets in China," Rasch says.
3. Prepare for political changes Just because a law is on the books today does not necessarily mean it will be tomorrow, especially in nations where there may be a change of regime. As part of a risk assessment, Rasch advises, consider possible changes to the law -- as well as the possibility that corporate assets may be seized or nationalized -- if the political winds shift.
4. Keep clear borders and records "Maintain some form of a private network and once it's set up, make sure there are clear borders with the outside," Ullrich advises. Steps like these can help clarify exactly where data is and under whose jurisdiction. In addition, he recommends setting specific corporate policies for how data is managed in each country. That way, if any laws or regulations are broken, the company can at least demonstrate it was done in violation of policy.
Finally, keep in mind that many of the laws governing data have never been tested in court. It is therefore impossible to predict what might happen if these laws are broken, or to know how to stay out of trouble.
"One security executive I know works for a company that operates in 150 different countries and has major data centers in three of them," Ullrich says. "His lawyers can't tell him how to deal with these problems. So his company is creating policy on the fly -- and hoping it will work out."
Minda Zetlin is co-author, with Bill Pfleging of The Geek Gap: Why Business and Technology Professionals Don't Understand Each Other and Why They Need Each Other to Survive (Prometheus Books).