Historically, IT is focusing on their servers and networks, and trying to do the best they can to keep the infrastructure running (and let’s hope, also keeping it secure!). The threat landscape is changing so fast, and teams are being caught with their pants down on various fronts. A major area to consider in your next risk assessment, must be your legal risk.
Unfortunately our world is not simple. You may be running a cloud service, with customers in different countries, and every country has different laws that govern how the data of their citizens are to be treated. Are you being compliant to those laws, and if you’re not, what can be the implication?
I am not a lawyer, and this is not legal advice. This post should give you some indication of what you need to ask your in-house legal team to ensure you are being compliant to the laws of the country where you operate (not just where your data center is, or where your office is, but also where you deliver your service to).
Privacy – Your customers have a right to privacy, a right to ensure that the data they provided you are protected, and not shared to unauthorised parties. It is important to understand what your country considers as private information, sometimes refereed to as PII (Personal Identifiable Information). It is a good practice to keep an inventory of all the information assets in your organisation, and highlight any solution that may contain the names, addresses birthdays and phone numbers of any individual. Review this list regularly. For more information, you can review the GDPR regulation that is coming into effect in Europe in 2018.
Storage – There are laws that govern where data is to be stored. While the cloud is a great storage location, by using a cloud solution that may not be physically located within your country), you may be breaking the law. Many countries require that the data of their citizens must be stored in their country of origin.
Data Retention – There are laws, specifically tax laws, that require a certain number of years data to be kept. They can be specific, and indicate things like financial information, for example invoices, purchase orders, etc. Retention laws can also indicate when certain information must be deleted, for example, if you collect private health information, the law may indicate that after the data is used for its intended purpose, that it must be destroyed. Make sure you understand what should or should not be kept.
Encryption – While encryption is becoming more common place, did you know that there are countries where the use of encryption is actually illegal? There are certainly a number of things to consider, like :
- Data in motion (external) – should I be using SSL to encrypt all traffic from my data center to my customer?
- Data in motion (internal) – should I be encrypting traffic within my data center?
- Data at rest – should my data be encrypted while it is sitting on the disk of my database, as well as should my offsite backups also be encrypted?
Breaches – What if something bad happens, your site gets hacked, and you loose information. Apart from the PR nightmare you’ll be facing, what are your legal obligations? In Australia, the Notifiable Data Breaches Act is taking effect in 2018, and requires organisations to report when data has been breached.