Information Security: Governments, Jurisdictions and Privacy Regulations
As pressure from regulatory compliance increases, the modern Chief Information Security Officer (CISO) must take a progressively integrated and holistic approach towards information risk management. Organizations may have little or no control over the movement of their information, as cloud services can be provided by multiple suppliers moving information between data centers scattered across the globe. By implementing strong information security measures, the CISO is more likely to stay ahead of regulatory mandates.
Let's face it, there is no way to get around data privacy laws and regulations. Businesses must either comply or pay a stiff penalty. No two jurisdictions are alike in their regulations, privacy legislation, and fraud and breach prevention. Traditional information protection methods may be difficult to apply or useless when it comes to storing or harnessing data in the Cloud.
Organizations of all sizes will have better control of their data, and prepare for what lies ahead, if they brush up on the requirements now and realize no two rules are alike. Regulations vary across jurisdictions, change constantly, and have not standardized when it comes to protecting data. Unless you are continuously monitoring the rules, and put mechanisms in place to do so, you might not only be compromising your data but also your corporate responsibility.
Data Privacy and Regulations
The concept of privacy is preserved in various regulations. The aspect of privacy that is relevant to information security derives from the right of respect for personal information that is held by organizations as data. When data held by organizations is sufficiently safeguarded then individuals' privacy is protected.
The requirement for maintaining data privacy has increased as privacy regulations have been adopted by many more jurisdictions since they were first introduced. Fines for breaching data privacy regulation have multiplied, and penalties can be more severe than fines. Increased public awareness and media interest have led to potential commercial and reputational consequences for non-compliance.
Most governments have created, or are in the process of creating regulations that impose conditions on the protection and use of Personally Identifiable Information (PII), with penalties for organizations who fail to sufficiently protect it. As a result, organizations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and commercial impacts such as reputational damage and consequential loss of customers due to privacy breaches.
Different countries' regulations impose different requirements on whether PII can be transferred across borders. Some have no additional requirements; others have detailed requirements. In order to determine what cross-border transfers will occur with a particular cloud-based system, an organization needs to work with their cloud provider to determine where the information will be stored and processed.
Transferring to Approved non-EU
No additional requirements are required if information is transferred to approved jurisdictions. Approved jurisdictions have been recognized by the European Union (EU) as having an adequate level of protection under local regulation. These are jurisdictions that have data privacy regulations that broadly match those of the EU. Jurisdictions that have satisfied these requirements include: Argentina, Canada, Israel, Uruguay and New Zealand.
Transferring to the US
One of the major jurisdictions missing from the approved list is the US. However, both the EU and US governments want organizations to be able to transfer data between each other. To support this activity the Safe Harbor Treaty has been created which allows EU information to be transferred to US-based organizations.
Transferring to Non-Approved
The EU does not prevent the transfer of PII to non-approved solutions. However, transfers are allowed only if an adequate level of protection can be assured.
Risk Happens but Awareness is Key
Putting private information into the cloud will certainly create some risk and must be understood and managed properly. Organizations may have little or no control over the movement of their information, as cloud services can be provided by multiple suppliers moving information between data centers scattered across the globe. If the data being moved is subject to privacy regulations, and the data centers are in different jurisdictions, this can trigger additional regulations or result in a potential compliance breach.
The decision to use cloud systems should be accompanied by an information risk assessment that's been conducted specifically to deal with the complexities of both cloud systems and privacy regulations; it should also be supported by a procurement process that helps compel necessary safeguards. Otherwise, the tireless pressure to adopt cloud services will increase the risk that an organization will fail to comply with privacy legislation.
Managing information risk is critical for all organizations to deliver their strategies, initiatives and goals. Consequently, information risk management is relevant only if it enables the organization to achieve these objectives, ensuring it is well positioned to succeed and is resilient to unexpected events. As a result, an organization's risk management activities – whether coordinated as an enterprise-wide program or at functional levels – must include assessment of risks to information that could compromise success.
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
- Atlantic-Community.org in Transition
- Towards a More Inclusive Transatlantic Partnership: Update on the 2nd Atlantic Expedition
- Topic of the Month: The Future of Health Care
- Do We Need Data Donations?
- eHealth - Tele-Monitoring and Tele-Medicine - Digital Innovation in the Life Science Sector in Germany