Data Sovereignty and the Cloud
0 likes398 views
Thou shalt be aware of complex legal and risk issues surrounding data hosting and jurisdiction when using cloud services. National, local, and international laws may apply differently to data stored in the cloud. Additionally, over a third of data breaches involve mistakes by third parties like cloud providers. Proper vetting of cloud providers is important to understand what data will be subject to what laws and ensure adequate security, privacy, and insurance protections are in place.
Data Sovereignty and the Cloud
- 1. A Board and Executive Officers’ Guide Technical, legal and risk governance issues around data hosting and jurisdiction. Data Sovereignty and the Cloud $37 billion in 2013 88% 88% of organisations have at least one data breach each year. The Australian e-commerce market continues to grow; increasing to over $37 billion in 2013. 9% 36% & Ponemon reveals that corporate security professionals are involved in the vetting process for cloud providers an alarming 9% of the time. between 31% 62% 20% Between 36% and 62% say that their data breaches involved mistakes by third parties such as outsourcers and cloud providers. 31% of companies spend 20% budget on cloud Ten commandments I II III IV V NATIONAL LAW LOCAL LAW INTERNATIONAL LAW INSURANCE DATA PROFILE Thou shalt check whether your cloud service provider has extended its insurance policy so that it also includes cover for your data; not all clouds are created equal. Thou must acknowledge it is not the application, but the data which needs to be profiled and classified so a policy can automate its residence within a hybrid cloud. Thou must be aware that information stored in a cloud environment can conceivably be subject to more than one nation’s laws. Thou must remember that the onus is on the business, to ensure the cloud provider used complies with local laws. Thou must remember, by nature a cloud computing environment invites international considerations. VI VII VIII IX X DATA SOVEREIGNTY PRIVACY RULES APPLICATION INTERNATIONAL TREATIES FOREIGN VENDORS PRIVACY ACT Thou shalt investigate and formulate criteria that determine what information should be housed in Australia or exclusively under Australian control. Thou shalt investigate whether ‘personal information’ really needs to be stored in identifiable form, since permanent de-identification can mean privacy rules no longer apply. Thou should know the US has entered into mutual legal assistance treaties with over 50 countries. Thou must be aware a foreign owned vendor may be subject to their country’s laws, even if they operate in Australia. Thou should note the ramifications of the revised Privacy Act coming into effect in 2014, where it is not stipulated that foreign providers must comply with Australian Privacy Law. What to look for when selecting a cloud provider Financial Condition Disaster Recovery Plans Insurance Coverage Methods for Preventing Unauthorised Access or Introduction of Malicious Code Experience with the Customer’s Systems Infrastructure Breach Notification Protocols Data Centre Locations Security Procedures Record of Reliability Similar Practices Hiring Practices