Data sovereignty laws place new burdens on CISOs
Your information is at the crux of the issue of data sovereignty. Where is your information? Who has access to the information? Do you have control of your information in each country, or does the government also have access (and control) of your data?
There is no one-size-fits-all set of rules, and therein lies the conundrum for CISOs, especially those whose customer base or digital infrastructure crosses political boundaries.
In a paper published on August 3, Professor Susan Ariel Aaronson of George Washington University commented how under the guise of digital sovereignty, “governments are seeking to regulate commercial use of personal data without enacting clear rules governing public sector use of data.”
In a 2020 “ideas paper,” the EU described digital sovereignty as “Europe’s ability to act independently in the digital world and should be understood in terms of both protective mechanisms and offencive tools to foster digital innovation (including in cooperation with non-EU companies).”
The EU’s GDPR has effectively forced a sea change, not only for EU-centric companies, as Kim Chan, CEO of DocPro notes, “the GDPR being an EU regulation, organisations all around the world have scrambled to comply with it. This is because the GDPR is applicable not only within the EU but also applies to entities that offer goods and services and collect and process the data of EU customers.”
The interest in securing citizens’ data is universal.
The interest in securing citizens’ data is universal. The African Union is working to catch up with the development of a unified common data system. The goal is to “regulate the ever-increasing production and use of data across the continent, whilst creating a safe and trustworthy digital environment that supports the development of a sustainable and inclusive Arica digital economy and society.”
Stephen Boyce, senior advisor to the International Foundation for Electoral Systems (IFES) reflected on the IFES experience, given their non-profit has offices in over 20 countries, characterising complying with the data sovereignty laws of each country to be “challenging.” He continued how the need to account for the more understood laws, GDPR and the one-offs as they pop up, means “our team has to go to the drawing board to think through how it will impact our operations.”
The looming question that all CISOs and managed security service providers (MSSP) must be able to answer is, “Where is the data?”
Avoiding data sovereignty violations
Those companies who are putting their data into the cloud must realise that not all providers are created equal and one must do their due diligence to ensure they avoid storing data in places with data sovereignty laws.
Daniela Sawyer of FindPeopleFast, speaking from firsthand experience, found that “verifying that data exists only at allowed locations is difficult. It requires the cloud customer to trust that their cloud provider is completely honest and open about where their servers are hosted and adhere strictly to service level agreements (SLAs).”
It isn’t just the smaller companies having issues. In May 2021, the EU’s European Data Protection Supervisor opened a probe into how entities within the EU were using both AWS and Azure to answer the question: Are they adequately protecting the privacy of their users? Expect data sovereignty to increase OPEX
Operating expenses are being impacted by data sovereignty. Attila Tomaschek of ProPrivacy commented, “Additional ongoing expenditures include continuous staff training on cybersecurity best practices, investment in new technologies and network monitoring tools and bringing on additional personnel such as a data protection officer, compliance officer or other staff dedicated to securing business data and complying with data sovereignty laws.”
A similar view is shared by Jesse David Thé, CEO of Tauria, who shared how his entity navigates through GDPR: “We need to show a specific data trail of how we obtained someone’s contact information. They have a right to be forgotten from our system and we must have explicit permission to send them marketing emails. This data exists within our walled garden, and we can’t share it with any of our partners for example. Neither can a partner share client contact information with us unless the client gives permission.”
Thé noted how the need to comply drove their OPEX up and was instrumental in the decision to hire “a CIO to help us ensure our GDPR compliance.” He continued how small companies will need to budget for this.
Infosec must evolve
Anderson Lunsford, CEO of BreachRx noted how breach notification requirements are changing with insurance companies requiring near real-time notification of breaches or compromises. The insured that fails to do so faces penalties. Lunsford also observed how companies may have incident response plans put together by information security professionals on paper, yet far too many never practice the scenarios outlined, nor have they incorporated the requirements of the various privacy laws.
Lunsford notes one salient aspect of breach response, especially when considering penalties imposed upon companies: “The companies that are penalised the most aren’t necessarily those with the biggest breaches, but those that don’t handle the response work well. Regulators have been increasingly vocal about their views in this regard. It is well-accepted in the security and privacy industries that incidents will happen to all organisations (it’s not if, but when). Regulators and customers expect companies to be prepared for these inevitable situations and respond timely and appropriately.”
Penalties come, and some come at you hard. Law firm Morrison & Forester in a recent Privacy Minute newsletter shared how businesses in and outside of Russia have received queries asking the companies to confirm that they store the personal data of Russian citizens in Russia. Google’s Russian experience is worthy of approbation. In late July “a court in Moscow fined Google 3 million rubles for the US technology giant’s refusal to localise the personal data of its users in Russia.”
In India, credit card companies are apparently finding India’s data privacy laws difficult to navigate. MasterCard was the most recent entity to be barred from accepting new customers in India due to allegedly being noncompliant. MasterCard was preceded by American Express and Diners Club with the Reserve Bank of India (RBI) booting all three indefinitely from issuing new credit or debit cards within the Indian domestic market. RBI alleges they violated data storage rules.
“The disparate and myriad data sovereignty laws around the globe necessitate clearer views into data flows, but to date, there is no one, easy way for large enterprises to achieve full visibility and monitoring,” says Katie Teitler, vice president of research and advisory at TAG Cyber. “Newer tools are coming on the market to help, but at least for the foreseeable future, a lot of time and money will be spent on compliance.”
Suffice it to say, the view over the horizon sees a good deal of heavy lifting for CISOs and their teams.
This article was written by Christopher Burgess from CSO Magazine and was legally licensed through the Industry Dive publisher network. Please direct all licensing questions to legal@industrydive.com.