The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
Cross-border data transfers are not only frequent, but often crucial components of everyday business. Today's patterns of global dataflow would be unrecognizable to a technologist of 20 years ago, and developments in global communication networks and business processes continue to evolve at a rapid pace. Advances in technology have enabled data to be moved rapidly and stored indefinitely. This has delivered a host of business and user benefits, which include the ability to take advantage of a global distribution of work and knowledge, 24-hour business operations and convenience for users and customers. What it has also done, however, is expose business to a whole new world of vulnerability. As we move data from data center to data center and/ or across borders, security breaches become a big risk. There is also the potential to violate national and international data transfer regulations and privacy laws. These latter risks are becoming more common as more countries implement privacy laws that regulate cross-border data transfers. These laws typically forbid cross-border transfers unless certain conditions are met or impose regulatory obligations upon the transferring companies. Along with a general increase in cross-border data activity, there has been an associated increase in cross-border litigation — and therefore, in data discovery activity. Discovery cases involving laws and regulations, including the Foreign Corrupt Practices Act (FCPA), International Traffic in Arms Regulations (ITAR) and the U.K. Bribery Act, have also risen dramatically. Because information technology and privacy legislation around the world change so quickly, legal and technology practitioners must be informed regarding best practices, applicable laws and regulations, and security protocols to keep data safe within data centers, during transit between data centers and in connection with a cross-border transfer. Awareness Companies and their employees must be cognizant of data security issues, particularly cross-border data security issues, before they can be addressed properly. Although there is no generally accepted definition of the term "privacy", nor a generally accepted framework for documenting and defining adequate "data protection," a commonly accepted lexicon is useful. For the purposes of this article, the following interpretations will be used: • Privacy = Protection of any individual's data • Data Protection = Aspect of privacy encompassing controls and safeguards that govern the processing, storage or transfer of an individual's data It's also important to realize that the scope of cross-border dataflow issues is often broader than anticipated. Issues can arise in • Create/Capture • Index and Classify • Store/Manage • Retrieve/Publish • Process • Archive • Destroy numerous regulatory arenas, but we are focusing on issues related to privacy and data protection. Governance Data privacy challenges often begin long before international data transfers come into play, such as at the business process and data governance levels. At present there is no standards-based governance model (e.g., ISO 27001) to leverage. The ISO committees plan to have a first draft some time in 2013 that will cover: • ISO/IEC 27017 will cover information security aspects of cloud computing. • ISO/IEC 27018 will cover privacy aspects of cloud computing. The ISO standards will not address the entire scope of the privacy solution for data governance considerations. The Information Governance Reference Model (IGRM) is analogous to the Open System Interconnect (OSI) Reference Model of Transmission Control Protocol/Internet Protocol (TCP/IP), as well as the Electronic Discovery Reference Model (EDRM). The former describes how data from an application on one computer are transferred to an application on another computer, and the latter describes how data should move through the electronic discovery process. The OSI Reference Model dramatically improved the ability to enable consistent interoperability between highly disparate systems and processes. The same conceptual model (e.g., IGRM) is required to address the privacy and cross-border data security challenges faced by companies today. Mitigation Strategies for the Information Lifecycle To protect data effectively when addressing cross-border data issues, you must consider the lifecycle of the relevant data. Records management models provide an excellent starting point for identifying technical and administrative security and privacy controls that apply well to cross-border data transfer challenges, acting as accountability frameworks for information management as a whole and including natural checkpoints for each step of international data transfer. The basic components of the data lifecycle are as follows: Peer to Peer 77