Where Should You Store Your Data?
Choosing a location for housing your business information requires deep knowledge of geographic laws and a comprehensive risk analysis.
29 May 2014
Choosing a location for housing your business information requires a deep knowledge of geographic laws and a comprehensive risk analysis. Businesses could have legal and/or ethical obligations to protect data in one jurisdiction, but may need to share that information with another jurisdiction depending on legal requirements.
In regard to geographic laws, you’ll want to consider several factors when deciding where to physically store your data. For one, laws around where an organization is headquartered could allow governments to require access to your data within their custody. Secondly, look at your information’s subject matter. The type of content could make that information subject to some government’s jurisdiction, no matter where it is housed. As an example, under Massachusetts state law, data concerning Massachusetts’ residents is subject to data breach notification law – the actual location of the data does not matter. You’ll also need to determine if your business may have related interests to local governments. If so, these governments could gain access to your information stored in another place. You should also consider your location’s mutuallegal assistance treaties (MLAT), agreements between countries allowing said country’s agents to call on another country to acquire information if desired - even if that country does not have physical or legal access to attain it. Make sure you also think about the transit patterns of information. When information is shared between organizations, sometimes it passes through many countries. When that happens, any of those countries could claim jurisdiction to that data too.
After you consider the physical location of the data, the next step is to perform a detailed risk analysis considering an array of potential threats your organization could encounter. To kick this off, businesses need to understand the laws and how governments act around them. In addition, think about having a service which can provide data encryption in transit and multi-factor encryption keys which are owned and managed by the company to ensure security.
As a closing thought, choosing where to house your information shouldn’t be determined overnight. A full breakdown of information protection laws geographically around intelligence, law enforcement activity and data protection enforcement requires ample consideration and analysis. For more information around where to store your information, check out our whitepaper, Data Privacy: Where Should I House My Data?.
John Landy is the chief security officer at Intralinks. Having served as chief technology officer at Intralinks for the past 5 years, he utilizes his technical background to work with clients to understand their security needs in sharing and storing sensitive information. John has been working on internal Intralinks controls for enterprise security and corporate risk and oversees a function comprising Customer Engagement, Security Architecture and a Security Operations Center.