How does your organisation cope when your data has left the building — or the country? Data sovereignty can be a vital legal issue, because data becomes subject to the laws of the country it's stored in — and that changes the risk profile.
Once you move to the cloud, you have to worry about compliance issues that result from putting your data in another jurisdiction, as well as compliance with our own Australian requirements.
"This topic has gone from nervous lawyers' backroom stuff to a mainstream business risk-management requirement in a couple of years," says David Vaile, executive director of the gloriously-named Cyberspace Law and Policy Centre at the University of New South Wales' Faculty of Law.
But data sovereignty is just the start of the legal worries. Cloud computing has pushed all manner of once-specialist legal issues from the fringe to the centre of corporate and societal consciousness.
Privacy. Confidentiality. Personal information security, treated broadly rather than just as a technical issue. Cross-border data flow, and the protections that go with it. Data breach notification. Data retention. The identifiability of individuals from the aggregation of supposedly anonymous data. The presumption of innocence. And more. All in just a few years.
"What I'm amazed by is how mainstream a lot of things [have become] that used to be, in the past, obscure or even a bit feral," Vaile said yesterday.
If all that wasn't enough, Australian organisations have yet another problem. An amended Privacy Act comes into force in March 2014 — and according to Eric Lowenstein, client manager at Aon (Financial Services Group), many Australian organisations aren't ready.
"A lot of them have policies and procedures which are outdated. They're not aware of how the change is going to impact their business and, more importantly, how there are opportunities or mechanisms to actually risk-transfer," Lowenstein said.
An example? When one CIO was asked about compliance with respect to the storage of credit card data, he said it wasn't an issue because all credit card data went straight to the bank. But, Lowenstein said, marketing staff attending that meeting pointed to a recent promotion which asked customers to buy a product and then phone a call centre with their credit card details — which were then written down on paper.
"There are a lot of parts of organisations that don't quite understand what the impacts or the ramifications of a privacy breach are, or even the compliance," Lowenstein said.
Privacy lawyer Adrian Lawrence, a partner in the Sydney office of Baker & McKenzie, says that it's frustrating trying to advise clients when we don't know how the courts might interpret the new laws.
"The answer at the moment is, well, we don't really have very much," Lawrence said. At least not until after March 2014. But privacy law is at the heart of data sovereignty, and that comes right back to how organisations will have to build their clouds.
"This is an issue that is not able to be put in a little box of privacy law any more... It's a key compliance issue right at the top level of corporations."
This frustration led one of Baker & McKenzie's clients, data centre operator Next DC, to partner with them and with UNSW to produce a whitepaper, Data Sovereignty and the Cloud: A Board and Executive Officer's Guide, launched in Sydney yesterday.
The authors include Vaile, Lawrence and fellow Baker & McKenzie partner Patrick Fair, plus Kevin Kalinich, global practice leader for cyber insurance at AON PLC.
Subtitled Technical, legal and risk governance issues around data hosting and jurisdiction, the whitepaper is intended to provide a starting-point for conversations about data sovereignty.
The document begins with the basics of cloud terminology and technology, and outlines the key features of the cloud from a legal perspective, before a detailed chapter on risk management, corporate governance and insurance issues.
That's followed by chapters setting out the steps taken to assess whether a data set should be stored locally or out of jurisdiction; third-party access through legislation such as the US Patriot Act of 2001, Foreign Intelligence Surveillance Act of 1978 (FISA) and the Electronic Communications Privacy Act of 1986 (ECPA), amongst others; security issues, including checklists from Australia's Defence Signals Directorate (DSD); developing a cloud data location policy.
A final section discusses how to integrate all of this with the rest of IT design.
"There's something for everything, although we can't offer the last word on anything. We're trying to get people talking, and to take the stuff seriously, so everyone can work out whether it might matter," Vaile said.
"It's also important not to get completely carried away. We're not suggesting that we're going from blissful ignorance to blind panic about data jurisdiction in one jump. If you do a reality check, you'll realise that some data can happily live anywhere, and some people don't really care anyway."