Recently we are finding an increased interest among Canadian companies in making sure that when they do any work in the cloud that will involve document or data storage (what doesn’t?) they want to ensure that the cloud and backup service is based in Canadian jurisdiction data centres.
I think this is something which is more of interest than it might have been in the past due to the high profile discussions in the world media about the actions which have been taken in US jurisdiction reflected in the Edward Snowden (NSA document leaks) and the recent court decision regarding Bradley Manning (Pentagon data leaks).
What is of concern for many is not the US being concerned about the information they have leaked but the realization that under anti-terrorism and national security legislation in the US government and agencies are accessing millions of data files which companies and individuals are not aware of. This activity is perfectly legal under US law.
It seems realistic to understand that if you are a Canadian company subject to Canadian privacy laws and you have put information regarding your clients and consumers in a cloud solution in the US then you could be deemed by design to have broken the standard that is required to comply with the Canadian legislation to permit only specific access to this information required through the course of business. In addition, you are required to track and record such access in the event an audit is required. Surely hidden undisclosed access by agencies in the US would be a violation of these provisions.
Would Canada Prosecute?
At this point I am not aware of any instance where this has come to light nor where any company has been challenged but all it takes is for information to come out in some public manner and the risk becomes real.
The alternative is to keep the information in Canada in the first place and you don’t have the problem. What this means is you need to be really careful to ask any supplier who is going to hold any of your data where that data is being stored. This need to question the location applies to:
- Cloud based file sharing services
- Online backup
- Server hosting, virtual server services
- Data storage services
- Cloud based document management
- Cloud based application hosting
- Outsourcing of data entry for any application (often offshored without client knowledge)
- Client information used for customer service or help desk support
Of course the type of data you are storing in the service will be part of your decision process.
In recent discussions with a Canadian based health services company about their need for improved document management, the location of any data store was a primary consideration in their search for a vendor.
The more sensitive the information you hold, especially of a personal nature the more critical your storage location is going to become. If it is health care data, financial services data, billing information related to individuals, legal information or any other high-risk information extra caution needs to be taken to think about what cautions are warranted in your case.
Is this all a ‘chicken little’ concern?
I don’t think so. Just defending a breach or dealing with a vendor based in an out of country jurisdiction in the case of some legal action will lead to massive costs, even if in the end you are deemed not to be negligent or at fault. My sense is that this is a case where caution upfront is warranted and a much better and more cost-effective solution than solving the problem once it occurs.
Are the chances of a problem high? Probably not but if there are means and methods to avoid being caught in a foreign data leak simply by asking upfront and choosing a vendor for your cloud applications and data storage from a Canadian jurisdiction you are advised to do so.