Cross-border data transfer throws up security issues. Sergey Nivens
Cross-border data transfers are frequent and crucial components of everyday business. Over the last 20 years, patterns of global dataflow have evolved at a rapid pace due to developments in global communication networks and business processes. As data is moved from data centre to data centre and/or across borders, security breaches become a tangible risk. There is the potential to violate national and international data transfer regulations and privacy laws. These risks are becoming more common as more countries implement privacy laws that regulate cross-border data transfers. These laws typically forbid cross-border transfers unless certain conditions are met or impose regulatory obligations upon the transferring companies.
Along with a general increase in cross-border data activity, there has been an increase in cross-border litigation — and therefore, in data disclosure activity. As information technology and privacy legislation around the world changes, legal and technology practitioners must be informed regarding best practices, applicable laws and regulations, and security protocols to keep data safe within data centres, during transit between data centres and in connection with a cross-border transfer.
In the context of cross-border data issues, to effectively protect data you must consider its lifecycle. The main features of the data lifecycle are:
Create/Capture: Receiving or creating data, whether captured from a website, a file transfer or a physical acquisition, will affect handling. Each method of creation or capture will require a different form of protection to ensure the information is safeguarded
Index and Classify: After the data has been securely acquired, appropriate rules must be applied. The first step is to identify the type of data acquired. Is it personally identifiable information (PII)? Is it an image or a document? What kind of document? Categorising data into the correct “bucket types” will facilitate compliance with international data privacy regulations and will also make the disclosure process more efficient.
Store/Manage: Where the data is stored will drive what protection controls are applied. If the data consists of PII or potential PII, then the organisation may be legally required to store the data in a disk-based encryption format and encrypt backup copies of the data.
Retrieve/Publish: After securely transferring data across the border, you must then make it available for use by ensuring that data is encrypted at each stage – when it is transferred, stored and displayed. Data cannot be decrypted in countries where it is not being transferred to, and access to systems such as network paths which enable cross-border transfers must be controlled.
Process: To ensure the data is only used for authorised purposes and in compliance with applicable laws, application controls and metadata tagging are helpful tools.
Archive: When the data is no longer needed, issues of long-term storage in compliance with the applicable policies and legal requirements arise. Is the backup onsite or offsite? Do your backups cross international borders? Are the backups governed by other countries’ privacy and data protection laws? The answers to these questions will help ensure that all potential risk areas are mitigated.
Destroy: At every stage, protected data must be rendered unusable, in accordance with applicable legislation. Ensure the destruction of archives, files, physical copies and any other copies. However, processes need to be in place for data excluded from regularly scheduled destruction cycles. For example, data subject to legal holds and discovery requests, as well as data governed by cross-border privacy legislation.
Even with the most robust policies, processes and systems, continuous vigilance is required. Organisations should:
• Monitor changes to the regulatory and security landscape• Ensure processes are in place to meet challenges in compliance or technical security controls.
• Ensure breaches of data that has cross-border or interjurisdictional ramifications can be managed.
Meaningful protection of data
Until a true international set of standards for data security and privacy controls is developed, meaningful protections for data — both domestic and international — will remain an issue for organisations of all kinds. Companies with international operations must develop effective strategies to meet their current and future obligations related to international data transfer and data security best practices.
Staying up to date on best practices, implementing an information governance program, identifying effective mitigation techniques and continuous validation, combined with strong incident response, will enable organisations to meet the challenges presented by cross-border data transfers and security.
George Tsounis and Dan Charboneau, Epiq Systems