Related Stories

  • The Data Protection Act and the cloud – ICO offers guidelines and advice
    The ICO has published a 24-page document on ‘Guidance on the use of cloud computing.’ The central message is that while you can outsource the collection and processing of data, you cannot outsource data protection responsibility for that data.
  • Cloud Security Alliance gets large on Big Data
    Providing security for virtual and remote environments that may be connected by open networks is a IT hurdle in and of itself on even a small scale, but in the context of the Big Data phenomenon stemming from cloud-based data centers, the challenge increases exponentially. To help the situation, the Cloud Security Alliance (CSA) has launched its Big Data Working Group (BDWG), to be led by Fujitsu, eBay and Verizon Business.
  • ICO hits NHS Trust with biggest penalty to date
    The Brighton and Sussex University Hospitals NHS Trust has been hit with £325,000 monetary penalty for breaching the UK's Data Protection Act.
  • Welsh board first NHS organization to be fined for data breach
    The UK Information Commissioner’s Office (ICO) has fined the Aneurin Bevan Health Board in South Wales £70,000 for a “serious breach” of the Data Protection Act, the first National Health Service (NHS) organization to receive a data breach fine.
  • UK Justice Committee mulls prison sentences for breaches of Data Protection Act
    MPs on the UK Justice Committee have called for prison sentences to be handed down for serious breaches of the Data Protection Act, building on the current financial penalties of up to £500,000 that can be given currently.

Top 5 Stories


70% of cloud data centers keep customers in the dark about storage locations

08 November 2012

As more companies turn to the cloud to provide redundancy and back-up services for mission-critical business functions, connectivity and applications, new research has revealed that a full 70% of cloud backup providers do not inform customers of where the data is being physically kept.

According to a report from Icomm Technologies, 70% of data storage/data center providers do not reveal which country, general locality or legal jurisdiction customer data is stored within. It’s an issue that becomes particularly apropos in the wake of Hurricane Sandy, which saw a number of critical data centers in the New York City area go down, darkening websites across the US. However, for UK businesses, the issue becomes broader. 

The Data Protection Act of 1998 specifically states that companies need to keep information secure, and that data should not be transferred to countries outside the European Economic Area unless it is adequately protected. If companies don’t conduct proper due diligence on their cloud storage and backup providers, then they run the risk of running afoul of the data protection regulations.

The Information Commissioner's Office (ICO), tasked with enforcing the law, has beefed up its penalties for entities that violate the Data Protection Act. In the last year, the ICO has issued £3+ million in fines for data security breaches in the public sector aloner, including the recent record-setting Stoke-on-Trent offense.

Cloud storage has provided businesses with a viable and economical solution to the challenges of huge data growth and unlocked access to offsite disaster recovery facilities. But data center companies, by the virtual nature of their business, can store data in countries where costs may be lower, but which do not have the same regulatory governance in place as the UK with regard to data protection. In fact, the Business Software Alliance’s (BSA) Global Cloud Computing Scorecard ranks many of the major growth economies such as India, Brazil and China particularly poorly in comparison to the UK, which is ranked sixth in the world.

Yet, “our research has shown the frightening scale of cloud backup providers that are not forthcoming in sharing even basic geography of where data is stored,” said Icomm Technologies executive Ian Callens. “This suggests most users of cloud backup aren’t concerned or even asking the question of data location as part of their due diligence.”

He added, “Equally, it suggests many providers are hood-winking customers by not proactively revealing where data is located,” and so, many are operating under the false perception that their data is protected under UK jurisdiction when, in fact, it isn’t. The incumbency is thus falling on organizations themselves to take action, he advised.

“With daily cybercrime and cyber espionage having escalated by 24% in 2012 [according to Symantec], businesses need to be confident they know exactly where customer or employee data is physically being kept,” said Callens. “Companies need to ensure they know where business critical data is being held to avoid the risk of cyber espionage, crime, illegal copying, sharing and selling of their data to third parties. Exposure could yield fines.”

This article is featured in:
Business Continuity and Disaster Recovery  •  Cloud Computing  •  Compliance and Policy  •  Industry News  •  Internet and Network Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×