That shiny new cloud is just so tempting. At just the click of a button, you can move your corporate data to it and enjoy the financial and operational benefits. But wait – before moving any data to the cloud, make sure you fully understand the legal and regulatory implications of doing it, especially the jurisdiction where your data is to be located.

The issue of data jurisdiction has always been with us – it’s not a new ‘cloud’ thing. However, with cloud services excitement reaching fever-pitch, it’s a good opportunity to discuss it again.

If, up-to now, your data has all been hosted by your company in the same jurisdiction and all your users are in that jurisdiction, then you probably haven’t had to think about this before. Read on ….

.

What’s the difference between a jurisdiction and a country ?

I know it sounds like the start of a nerdy joke, however …. a jurisdiction refers to a bounded space that is subject to its own laws and regulation. In some instances a jurisdiction is a country. For example:

• The USA is a country, but its different states have their own laws, which means the USA has multiple jurisdictions (albeit also with USA-wide laws and regulation).
• England is a country and a jurisdiction. Its laws and regulations covers its entirety.
• Jersey in the Channel Islands is not a country but has its own laws and regulations, so is a jurisdiction. Before you ask, Jersey is neither a country, or part of England !

.

Why should I care where my data is ?

If you have a responsibility for IT or hold a senior position in your organisation, you have a responsibility to ensure that your data is stored in a jurisdiction that has data protection laws at least as strong as your current jurisdiction. I used the term ‘data protection’ in lower-case deliberately, as I refer to the wider laws and regulation that govern the protection and access to data in a jurisdiction. This includes the jurisdictions actual Data Protection law.

Here are a few examples of why you need to care where your data is hosted:

• For non-Americans who host their data in the USA, they must be aware of the USA Patriot Act. This law presents two issues regarding data stored in the USA.
  • Firstly, USA law enforcement agencies can access your hosted data in the USA if they consider it ‘relevant’ to their investigations. This is much easier to meet than the usual ‘probable cause’ test.
  • Secondly, if your hosted data in the USA is accessed by the USA law enforcement agencies, the data holder (the cloud service provider based in the USA) is not permitted to tell the non-USA data owner (that’s you) that their data has been accessed, even if the cloud service supplier is contractually bound to advise them.
• Law protection authorities in many locations (as mentioned above for the USA) can seize your data with the relevant orders. For example, suppose your cloud service provider hosted a business that wasn’t as law abiding as your company. If the local law protection authorities raid the cloud service provider and take all the equipment – they are unlikely to be interested in the fact that other clients are using that equipment – they want to ‘catch their man’.
• If, during an investigation, a law enforcement agency seized a server in their jurisdiction, but it contained data about your clients in a different jurisdiction, would this infringe your clients data protection rights and would you be breaking the Data Protection law for locating the cloud service there ?
• Some regulatory authorities take the view that they either regulate or have a responsibility for businesses whose data is stored in their jurisdiction.
• Some jurisdictions consider the tax on a transaction to be borne in the jurisdiction that the transaction was made. For some automated transactions, such as online gaming, this is often where the processing is performed. Therefore, beware of the location where your processing and data is based. This is why some companies are attracted to particular jurisdictions for transaction-based tax reasons.

.

How do I know where my cloud data is ?

There is only one sure way – ask the cloud service provider.

With commodity cloud service providers, you will have a non-negotiable clickwrap contract. All you can do with this is read it and accept or reject it – there is no negotiation.

Some commodity cloud service providers are not so forthcoming about their locations, but many are open with you about their jurisdictions. For example, Amazon’s ECC is available in USA East (Northern Virginia), USA West (Northern California), European Union (Ireland), and Asia Pacific (Singapore). Mimecast, as another example offers its clients a choice of jurisdictions.

If you can’t determine which jurisdiction(s) your data will be hosted in, you have to work on the assumption that your data is hosted ‘somewhere’. That makes the decision to use the cloud computing service more difficult, as you don’t know where you data will be located and which laws and regulations will apply.

Here are a few things not to do, in order to try and find the cloud providers jurisdiction(s):

• Don’t try to use traceroute to pin the website to an IP address and location. Most large cloud service providers have data centres in different locations and countries and dynamically move processing and content between them to optimise performance and network utilisation.
• Don’t assume that your data is at the cloud service providers office address or even in that jurisdiction.
• Don’t assume the data is stored in the location denoted by the URL address. E.g., a website suffix of .com doesn’t mean the cloud service is located in the USA.
• Unless specified, don’t assume the cloud service provider only uses their infrastructure. Some host their infrastructure on an underlying provider.

.

Can I host my data outside my jurisdiction ?

As you will have gathered by now, it’s not a straight forward ‘yes’ or ‘no’ answer. It depends on your location, the cloud service providers data location(s), the laws and regulations in those locations and any client contracts/agreements you may have.

• Make sure the new jurisdiction has data protection laws at least as strong as your current jurisdiction. This refers to the wider laws and regulation that govern the protection and access to data in the jurisdiction, including the jurisdictions actual Data Protection law.
• If transaction processing will happen in another jurisdiction, make sure that your taxation position isn’t impacted.
• If you are a licensed or regulated services provider, make sure that your current jurisdiction’s regulator is happy with your chosen data location.
• If you are a licensed or regulated services provider, make sure that you won’t be subject to the regulator in the new jurisdiction and that you won’t be required to have additional license(s) to operate from that location.
• Make sure there is nothing in your terms and conditions or client agreement/contract that would prohibit you moving data to a different jurisdiction. For example, banks that acquire clients from another bank can find that the client agreements are old and commit to the client’s data being in a particular jurisdiction.
• Don’t forget to find out where the cloud suppliers contingency site is and if they use backup media and where that is stored. If these are in different jurisdictions, you need to be aware.

.

Possible solutions

The obvious solution

The obvious solution is to use either a ‘private cloud’ or a ‘public cloud’ in which the supplier guarantees the location of your data.

Jurisdictional cloud computing services tend to be more expensive but are gaining popularity, for example, the OneSource service from Jersey Telecom and Virtustream.

More complex solutions

Clients of cloud computing infrastructure services tend to encrypt the data held at the hosting provider. This means that the cloud services provider is a custodian of the data and has no part in its use. Whilst encryption is easy to implement for infrastructure level services such as IaaS, PaaS and DaaS, it is more difficult at the software provision level (SaaS).

Another solution is to use ‘hybrid cloud’. This extends the cloud into the infrastructure in your premises. The cloud service provider would install a server in your premises which keeps sensitive data in your jurisdiction and under your control. The sensitive data is still stored in the cloud service, but in a tokenised form.

An example of this is PerspecSys who have implemented such a solution with Salesforce.

.

Also read ….

• Cloud Computing – what is everyone so excited ?
• Cloud-based backup services

.

And finally ….

If you have read this far and are still looking for the answer as to whether you can move your data to a cloud, you will have gathered that it’s not straight-forward to answer. It depends on your location, the cloud service providers data location(s), the laws and regulations in those locations and any client contracts/agreements you may have.

Please note, I am not qualified in legal or tax. These are guidelines based on my personal experience. If in doubt, get professional legal advice. Data jurisdiction, taxation, law and governance is a complex matter. A relatively small amount spent on good legal advice will be much less than a lawsuit later-on.

.

.

In 2008, Sharp Copiers commissioned a security survey. They found that 60% of the respondents were unaware that copiers stored electronic images of the copied documents. People were also  not aware of, or not willing to pay for security packages offered by the major copier manufacturers. These encrypt or erase an image from the hard drive.

A recent news story is a scary reminder, after client data was found on a company’s used photocopier in a warehouse of second-hand equipment, when it was returned at the end of its lease.

Remember the saying “one man’s trash is another man’s gold” – just because you can’t access data on a faulty piece of media doesn’t mean someone else can’t.

How do you make sure that your equipment doesn’t contain any valuable company data when it leaves your premises ? Read on ….

Should I worry about this ?

In my view, the answer is “Yes!” (you probably guessed that, given I went to the trouble of writing this). If you think I am paranoid, read this news story from April 2010 …. 

A USA New York based organisation, Affinity Health Plan, had to notify 409,000 employees, providers, members and applicants that their personal information may have been breached. This was after CBS news reported that it had found a used photocopier machine in a warehouse that contained Social Security numbers, birth dates and medical info from Affinity Health Plan.  

Affinity Health Plan said that the potential breach was caused by a simple lack of knowledge about the way photocopiers store data. “Like many organizations across the country, we were not aware copy machines contained hard drives that need to be wiped” said Affinity’s senior vice president of Customer & Community Connections, Abbe Abboa-Offei. Their press release can be read here.  

Leaked or stolen data is not only bad for the individuals whose personal information has leaked, it can be expensive for your company in terms of legal fees, claims, settlements etc. Also, it doesn’t help your company to have a story published that suggests you don’t take care of an individual’s personal information.

If you aren’t convinced yet, remember that there are strict industry standards and government regulations in place that force organisations to mitigate aagainst the risk of unauthorised exposure of confidential data, such as Sarbanes-Oxley Act (SOx) and the Payment Card Industry Data Security Standards (PCI DSS). Failure to comply can result in fines and damage to company reputation, as well as civil and criminal liability.

What should I do to protect my company ?

You need to take a number of steps ….

• Firstly, you need a policy covering this subject. Don’t bury it in another policy – this is important and warrants its own document. A policy is not just words in a document, it sets the company standards and allows enforcement of them.
• Secondly, you need procedures that detail how different types of equipment are made safe when being disposed of.
• Thirdly, you need to ensure that sub-contractors and suppliers are contractually bound to follow your policies and procedures.
• Lastly, you need to communicate it. This doesn’t just mean e-mailing a document or posting it onto your Intranet. You must educate your employees, sub-contractors and suppliers about why this is so important.

You need to include any equipment that either contains data or has contained data in the past. This could include the following:

• Backup tapes, floppy disks (yes, they are still used in some places)
• DVDs, CDs, BluRay discs
• USB flash memory keys
• Any other removable memory, such as flash memory from a PDA, IPod or camera
• Equipment that contains data or configuration data in its internal memory, such as network equipment.
• Mobile phones, Blackberry devices, PDAs, IPods and similar devices.
• Internal hard drives from any device including PCs, servers, printers, photocopiers, fax machines. multi-function devices (MFDs) and network equipment.
• External hard drives

Remember that if you can’t access the data on a faulty piece of media, someone else may be able to using forensic methods. Therefore, the same rules should apply to media that you deem faulty.

Also, remember not to let a supplier take a disk offsite. For example, if your leased MFD fails, don’t let the engineer take the disk from your site. Don’t let them convince you that their contract gives you protection of the data on the disk. It is your data, not theirs. Any data leakage will be linked by the media to yourself, not a subcontractor.

Oh no, not another policy

Make sure your company has a policy for the secure moving of equipment outside of your company. The policy should cover the following:

• All equipment that has the ability to store data, such as PCs, servers, printers, photocopiers, fax machines, network equipment, mobile phones and PDAs/Blackberrys.
• Secure disposal of equipment that is end-of-life and will be scrapped or recycled.
• Safely allowing equipment to be sold or given to staff, charities, schools or other organisations.
• Removal/exchange of equipment or parts of equipment for servicing – for example the hard disk in a photocopier.
• Removal/exchange of equipment when at the end of its lease - for example a MFD.
• The policy should not just cover equipment managed by the IT team, but any other relevant equipment managed by another team in the company or outsourced to a third party.

Process needed

Hard disks

• This includes all hard drives that have been used by your business – whether internal to a PC or server, externally attached or used in a printer, photocopier, fax machine or elsewhere.
• If the hard disk isn’t too old to be unusable, it is possible to use specialised software to completely remove any data from it. Be carefull, as many products claim to do this but aren’t comprehensive – it will look as if it has worked, but you won’t really know ! Have a look here for details of data erasure standards.
• Many hard disks that you need to dispose of will be faulty or just too old to be of use. In this case, they should be destroyed even though it may make reuse of the PC uneconomic – i.e., the need to purchase a replacement disk.
• To destroy a hard disk, it should formatted and then physically destroyed – normally by guillotining it into pieces. Remember that hard drives are almost 100% recycleable.
• If you outsource the disk destruction, it should be degaussed onsite before transportation. See the section later in this document about degaussing.
• Keep a log detailing the following:
  • hard disk manufacturer
  • disk capacity
  • serial number (if it has one)
  • business system name it came out of
  • details of the data it contained (for example, ‘file server RAID disk’)
  • date formatted ready for destruction and by whom
  • date degaussed ready for destruction and by whom
  • date destroyed and by whom

Backup media

• This includes media such as backup tapes, data cartridges, tapes used for voice recordings and even the old-school dictation machine tapes.
• To destroy this type of media, it should formatted and then physically destroyed – normally by guillotining it into pieces.
• If you outsource the destruction, it should be degaussed onsite before transportation. See the section later in this document about degaussing.
• Make sure you remove any identifier that could link it your company, such as labels.
• Keep a log detailing the following:
  • any reference number previously assigned, such as backup tape number
  • media manufacturer
  • media capacity
  • business system it was used for
  • details of the data it contained (for example, ‘file server month-end backup June 2009′).
  • date formatted ready for destruction and by whom
  • date degaussed ready for destruction and by whom
  • date destroyed and by whom

Removable disks

• This includes diskettes, DVDs, CDs and BluRay discs.
• To destroy this type of media, it should be shredded (many office shredders can now cope with disks).
• Diskettes will need breaking open to take the disk out of the casing before shredding or cutting-up.
• Keep a log detailing the following:
  • any reference number previously assigned, such as backup tape number
  • media manufacturer
  • media capacity
  • business system it was used for
  • details of the data it contained (for example, ‘client presentation’).
  • date formatted ready for destruction and by whom
  • date degaussed ready for destruction and by whom
  • date destroyed and by whom

• Blackberrys – make sure they are initialised using the Blackberry function. If the Blackberry is lost, remember that this can be performed remotely.
• Mobile phones - make sure they are initialised, either using their reset function or some can be initialised remotely – such as Windows Mobile.
• Make sure they haven’t got a memory card inside that contains data.
• Make sure you remove any identifier that could link it your company, such as an asset tag.

Memory resident data in equipment

• Use the supplier provided reset and initialise functions. For example, make sure you always initialise your network equipment before disposing or selling it. You don’t want the inner secrets of your network topology in the wrong hands.

Disposing of equipment

• Before you actually dispose of equipment (and that includes sending it back to the leasing company, selling it second-hand or giving it to staff or charity), remove all identifiers that would link it back to your company. This includes branded stickers, asset tags, device name/address and even passwords !
• Remember that if an opportunist thief sees a number of second-hand devices, he will go for the one that he recognises as having come from a company – don’t let it be yours.

Information : What is ‘degaussing’?

Data is stored in media by making very small areas (called magnetic domains) change their magnetic alignment to be in the direction of an applied magnetic field. This phenomenon occurs in the same way as a compass needle points in the direction of the Earth’s magnetic field. Degaussing leaves the domains in random patterns with no preference to orientation, which means that any previous data is destroyed and unrecoverable. There are some domains whose magnetic alignment is not randomized after degaussing – this is called magnetic remanence because it is due to remanent magnetization. Comprehensive degaussing will ensure there is insufficient magnetic remanence to recover and reconstruct the data.

Data can be deleted on magnetic media in one of two ways:

• AC erasure in which the media is degaussed by applying an alternating field (from AC power) that is reduced from an initial high value.
• DC erasure in which the media is saturated by applying a unidirectional field (such as DC powered or a permanent magnet).

A degausser is a device that can generate a magnetic field for degaussing magnetic media. The magnetic field is very strong, so be sure you do not have your watch, mobile phone, credit cards and so-on near it.

And finally ….

If you have read this far, I hope you are convinced you need to securely destroy unwanted equipment that can contain your data. It may seem a lot of work, but most of the effort is getting the policy and processes in place. When that is done, the operational part of this will slip into your business-as-usual function.

Remember ….

• Just deleting the files on a disk isn’t enough, because only the index to the files is deleted, not the actual data. It is similar to tearing the contents page from a book – the detailed pages are still there, you just need to look harder.
• Data on a hard drive can still be retrieved even after several reformats by using forensic methods. Just formatting it or reinstalling an operating system isn’t enough – the previous data can still be accessed if the perpetrator is determined.
• Store all media securely until it is destroyed. It may look like old junk, but it can have valuable information on it.

Please take this subject seriously. It is much easier and less costly to put these steps in place, than to face the repercussions if your data is discovered outside your company.