Hi All,
Think about the ramifications of this bill, if this is accepted from a privacy and data perspective:
https://www.securityweek.com/new-legislation-would-block-us-firms-storing-personal-data-china-russia
Regards
Caute_cautim
For national security reasons I don't think U.S. data should be off-shored ever. Regardless if it is a text from Aunt Tilly to her niece about a tea on Saturday. As innocuous as that scenario seems a lot of information could be gleaned from that short exchange. What if Aunt Tilly is a congressperson and her niece is employed in the aerospace defense world? Them both being out of the home at the same time could allow two targets to be infiltrated. All kinds of data monitoring could take place.
How about data storage ?
We for example refuse to store data on any cloud that is situated in the USA, for the simple reason that there is no guarantee that our data won't be demanded by the US government for whatever reason under that wierd law from after 9/11.
We store our cloud data in Europe or Ireland only.
and I know we aren't the only company to do the same.
there are many reasons not to store or transfer data to certain countries, so I for one don't see an issue with not transferring data to Russia or china. after all, we all know how safe the data is there...
Data sovereignty is an issue for everyone. The Australian Govt has mandated that certain data be kept in Australia for two reasons: 1. The lack of trust in the US Govt as at the time (or still are) via the NSA reviewing data that we though was secure and 2. So that they could get access to it for supposed national security purposes saying it would protect us from terrorists.
The problem is that it has constantly been abused by every level of government in Australia from Federal, State down to local councils trying to track down to parking fine defaulters. Last year the access to Telco Meta Data was in the 10s of 1000s to locate people. This is hard proof of the abuse that goes on.
Personally, the best place to keep data is in some where like Switzerland with no treaties as they don't have agreements with Russia, China, USA or Australia in passing on data.
In 2008 a large uS company hosted an Australian University CRM in Singapore, 3 months later the data was available in China. On investigation, we found that the uS company Administrator was working out of Beijing. We were assured that the US employment contract would give assurance of data confidentiality. It pays to be very careful and cautious.
@Shane_60Given my own experience, as I cover both Australia and New Zealand in my professional capacity. With the use of Cloud Computing, within both countries by the respective Governments. I think it would be very hard to reduce the level of expected data leakage, as literally the "cat is out of the bag" situation.
Plus the lack of visibility and the amount of ShadowIT going on, which would probably mean there would need to be state run CASBs, or SASBs in order to ensure suitable compliance and controls are in place.
When will they realise, their folly?
Regards
Caute_cautim
@MikeGlassman wrote:How about data storage ?
We for example refuse to store data on any cloud that is situated in the USA, for the simple reason that there is no guarantee that our data won't be demanded by the US government for whatever reason under that wierd law from after 9/11.
We store our cloud data in Europe or Ireland only.
and I know we aren't the only company to do the same..
Unfortunately, due to the US CLOUD Act 2018, not storing data in the US is no longer a viable option for avoiding US warrants - any company with operations in the US must comply with government requests for data, regardless of where that data is held (this law was passed due to the whole mess with Microsoft refusing to hand over data stored in Ireland).
@MikeGlassmanInteresting following up and getting to the root issues within Australia: The Australian Data Protection (APP) principle 8 is the main issue: Cross border transfer of data. It appears that the Australian Government do not fully trust the USA or EU, especially in a cloud computing situation, and data sovereignty. So there is still a need for in country processing on shore, even if it is in a private cloud or hybrid cloud situation.
Regards
Caute_cautim