George Tsounis, senior vice president of information technology and development and Dan Charboneau, information security lead, Epiq Systems
Cross-border data security risks and best practices
29 August 2013
17 July 2014
9 July 2014
24 April 2014
28 October 2013
30 June 2014
Cross-border data transfers are not only frequent, but often crucial components of everyday business. Today’s patterns of global dataflow are unrecognisable compared to that of 20 years ago, and developments in global communication networks and business processes continue to evolve at a rapid pace.
Advances in technology have enabled data to be moved rapidly and stored indefinitely. As we move data from data centre to data centre and/or across borders, security breaches become a tangible risk. There is also the potential to violate national and international data transfer regulations and privacy laws. These latter risks are becoming more common as more countries implement privacy laws that regulate cross-border data transfers. These laws typically forbid cross-border transfers unless certain conditions are met or impose regulatory obligations upon the transferring companies.
Along with a general increase in cross-border data activity, there has been an increase in cross-border litigation — and therefore, in data disclosure activity.
As information technology and privacy legislation around the world changes rapidly, legal and technology practitioners must be informed regarding best practices, applicable laws and regulations, and security protocols to keep data safe within data centres, during transit between data centres and in connection with a cross-border transfer.
To protect data effectively when addressing cross-border data issues, you must consider the lifecycle of the relevant data. The basic components of the data lifecycle are as follows:
Create/capture: The process of receiving or creating data, whether captured from a website, a file transfer or a physical acquisition, will affect handling. Each method of creation or capture will require a different form of protection to ensure the information is safeguarded
Index and classify: Once the data has been securely acquired, appropriate rules must be applied. The first step is to identify the type of data acquired. Is it personally identifiable information (PII)? Is it an image or a document? What kind of document? Carefully sifting and sorting the data into the correct “bucket types” will greatly aid in the compliance with international data privacy regulations and will also make the disclosure process more efficient.
Store/manage: Where will the data be stored? Will this means of storage provide adequate levels of protection? This information will drive what protection controls are applied. If the data consists of PII or potential PII, then the organisation may be legally required to store the data in a disk-based encryption format and encrypt backup copies of the data.
Retrieve/publish: Once you have securely transferred data across the border, you must then make it available for use by ensuring that data is encrypted at each stage – when it is transferred, stored and displayed. It must also be made certain that the data cannot be decrypted in countries where it must not be transferred, and that access to systems such as network paths which enable cross-border transfers is controlled.
Process: It is important to ensure the data is only used for authorised purposes and in compliance with applicable laws. Application controls and metadata tagging are helpful during this phase.
Archive: When the data is no longer needed, issues of long-term storage in compliance with the applicable policies and legal requirements arise. Is the backup onsite or offsite? Do your backups cross international borders? Are the backups governed by other countries’ privacy and data protection laws? The answers to these questions will help ensure that all potential risk areas are mitigated.
Destroy: At every stage, protected data must be rendered unusable, in accordance with applicable legislation. Ensure the destruction of archives, files, physical copies and any other copies. However, there could always be an exception to the rule, so processes need to be in place for data excluded from regularly scheduled destruction cycles. For example, data subject to legal holds and discovery requests, as well as data governed by cross-border privacy legislation, are commonly excepted.
Even with the most robust policies, processes and systems, continuous vigilance is required. Organisations should:
• Monitor changes to the regulatory and security landscape• Ensure that processes are in place to meet challenges in compliance or technical security controls.
• Ensure that breaches of data that has cross-border or inter-jurisdictional ramifications can be managed.
Although much discussion has occurred around the creation of international standards for data security and privacy controls, a true international set of standards has not yet been developed.
Until then, meaningful protections for data — both domestic and international — will remain an issue for organisations of all kinds. Companies conducting business internationally, contracting with international vendors or hosting data with international data centre providers must develop effective strategies to meet their current and future obligations related to international data transfer and data security best practices.
Individuals, governments and business all have a stake in data security, whether they’re directly involved or not. Staying up to date on best practices, implementing an information governance program, identifying effective mitigation techniques and continuous validation, combined with strong incident response, will enable organisations to meet the challenges presented by cross-border data transfers and security.