According to a report from Icomm Technologies, 70% of data storage/data center providers do not reveal which country, general locality or legal jurisdiction customer data is stored within. It’s an issue that becomes particularly apropos in the wake of Hurricane Sandy, which saw a number of critical data centers in the New York City area go down, darkening websites across the US. However, for UK businesses, the issue becomes broader.
The Data Protection Act of 1998 specifically states that companies need to keep information secure, and that data should not be transferred to countries outside the European Economic Area unless it is adequately protected. If companies don’t conduct proper due diligence on their cloud storage and backup providers, then they run the risk of running afoul of the data protection regulations.
The Information Commissioner's Office (ICO), tasked with enforcing the law, has beefed up its penalties for entities that violate the Data Protection Act. In the last year, the ICO has issued £3+ million in fines for data security breaches in the public sector aloner, including the recent record-setting Stoke-on-Trent offense.
Cloud storage has provided businesses with a viable and economical solution to the challenges of huge data growth and unlocked access to offsite disaster recovery facilities. But data center companies, by the virtual nature of their business, can store data in countries where costs may be lower, but which do not have the same regulatory governance in place as the UK with regard to data protection. In fact, the Business Software Alliance’s (BSA) Global Cloud Computing Scorecard ranks many of the major growth economies such as India, Brazil and China particularly poorly in comparison to the UK, which is ranked sixth in the world.
Yet, “our research has shown the frightening scale of cloud backup providers that are not forthcoming in sharing even basic geography of where data is stored,” said Icomm Technologies executive Ian Callens. “This suggests most users of cloud backup aren’t concerned or even asking the question of data location as part of their due diligence.”
He added, “Equally, it suggests many providers are hood-winking customers by not proactively revealing where data is located,” and so, many are operating under the false perception that their data is protected under UK jurisdiction when, in fact, it isn’t. The incumbency is thus falling on organizations themselves to take action, he advised.
“With daily cybercrime and cyber espionage having escalated by 24% in 2012 [according to Symantec], businesses need to be confident they know exactly where customer or employee data is physically being kept,” said Callens. “Companies need to ensure they know where business critical data is being held to avoid the risk of cyber espionage, crime, illegal copying, sharing and selling of their data to third parties. Exposure could yield fines.”