The world of business now relies on cross-border data transfers in a way that would be unrecognisable to a technologist from just 20 years ago. Advances in technology have enabled data to be moved rapidly and stored indefinitely, which has delivered a host of business and user benefits allowing the global distribution of work and knowledge, 24-hour business operations and convenience for users and customers.
However, this reliance on data has also increased the risk businesses face from security breaches or loss of information, particularly as data moves across institutional and geographic boundaries. At the same time, regulations concerning the transfer of information and privacy have become much more commonplace, typically forbidding or restricting cross-border transfers unless certain conditions have been met.
To protect data effectively when engaging in cross-border transactions, organisations need to consider the lifecycle of that information and ensure implementation of security measures is integral to each stage of the cycle:
CAPTURE/CREATE
How businesses receive data will affect how they deal with it. Commonly accepted, safe methods of receipt include website capture using secure socket layer technology; file transfer using a secure file transfer program, virtual private network or file encryption; or physical transfers using a secure media room to image and ingest the data, supplemented by background checks on personnel.
INDEX AND CLASSIFY
Identification of the type of data that is being acquired is important. Is it personally identifiable information (PII), an image or a document and, if so, what type? These are treated differently under foreign data privacy regulations.
STORE/MANAGE
How the data will be stored affects what protection controls are required. If the data is PII or potentially PII, then there could be a legal requirement to store it in a disk-based encryption format and encrypt back-up copies of the data.
To protect data effectively when engaging in cross-border transactions, organisations need to ensure implementation of security measures is integral to each stage of the cycle
RETRIEVE/PUBLISH
Once a business has securely transferred data across the border, it must make it available for use. This will require encryption at every stage of the process, leveraging encryption-key management to prevent decryption in countries to which that data must not be transferred and controlling access to systems that critical data may traverse, such as network paths.
PROCESS
Data must only be used for authorised purposes and in compliance with applicable laws. Application controls and metadata-tagging generated during the index may be used here.
ARCHIVE
When the data is no longer needed for production purposes, it must be stored in compliance with the company’s data retention policy and applicable legal requirements. Issues to consider include whether backup occurs on-site or off-site and whether these cross international borders. Are the back-ups governed by other countries’ privacy and data protection laws?
DESTROY
Protected data, including archives, files, physical copies and any other versions created during the lifecycle of the data, needs to be rendered unusable, unless there is an exception to the rule, such as data subject to legal holds and disclosure requests.
Even once robust policies and processes have been put in place, organisations need to remain continuously vigilant, ensuring they monitor regulatory changes and stay up to date with frameworks such as ISO 27001. They must also develop strong incident-handling and remediation policies to cope with any potential breaches, and ensure these can handle cases which have cross-border or inter-jurisdictional ramifications.
Although much discussion has occurred around the creation of international standards for data security and privacy controls, a true international set of standards has not yet been developed.
Until that happens, meaningful protections for data, both domestic and international, will remain an issue for organisations of all kinds and sizes. Those conducting business internationally, contracting with international vendors or hosting data with international data centre providers must develop effective strategies to meet their current and future obligations.
Daniel Charboneau is responsible for the information security program at Epiq Systems, Inc. For more information contact epiqteam@epiqsystems.co.uk
