How to manage global data under CLOUD Act governance

This post was also published with the Industry Association of Privacy Professionals.
It’s common knowledge that the U.S. government, with a subpoena or warrant, can compel companies to disclose data about companies and individuals. All governments have some type of legal capability to request data from information providers.

What is surprising to many, even those of us in IT, is that with the 2018 Clarifying Lawful Overseas Use of Data Act, the U.S. government can compel a U.S. company that is hosting data in another country to comply with such information requests. For example, if a Malaysian company is hosting data in Amazon Web Service’s Singapore region, Amazon will have to comply with U.S. subpoenas and warrants to disclose the data.

The CLOUD Act was passed to amend the Stored Communication Act of 1986, after Microsoft took a case all the way to the U.S. Supreme Court to not disclose data that was stored on a Microsoft server in Ireland. There are also similar laws in other countries, such as Australia, that go beyond the CLOUD Act, as they can be executed without disclosure.

Banks, health care providers and other large companies are highly concerned about the U.S. government having access to their data outside of their own countries’ legal process for accessing data.

If your company is storing German data and the German government can legally request the data, this should, of course, always be complied with and be expected by your German customer. If your company is storing Kuwaiti data in Canada, the Kuwaiti customer will be very concerned if the Australian government can access that data without following either Kuwaiti or Canadian laws and processes. So how can a U.S.-based company that is storing regulated data globally alleviate these customer concerns?

Disclose governmental access possibilities to prospects and customers

First off, when selling to international customers, be proactive in describing the jurisdictional controls that would apply to their data. It is better to address these issues head-on and upfront rather than when your software deal hits legal and compliance. Being proactive will save both your prospect and you wasted time and effort in case they are not willing to have their data disclosed to the U.S. government outside of their country’s legal procedures.

Restrict where data is hosted and which staff can access data

One option is to avoid U.S. cloud vendors and evaluate foreign clouds promoting themselves as hosting solutions beyond the reach of the CLOUD Act. It’s also important to have controls in place that restrict access to data. Specifically, for technology companies, engineers should never have access to production data. Do you think the front-end engineer that works on your bank’s website should make their debugging job easier with access to your personal bank records? Absolutely not. Every company needs to have strict data controls.

Move your US-based company to a data-friendly jurisdiction

If storing regulated data is a company’s primary business, consider moving your company’s headquarters to a data-friendly jurisdiction. Countries like Singapore and free trade zones like Abu Dhabi General Market are increasingly attracting high tech companies that need to instill customer trust in data storage. In countries where data disclosure of foreign data can be compelled, employees should work for a distinct subsidiary with absolutely no access to data or the right to direct employees in other countries to access data. For example, a company that is headquartered in the United Arab Emirates would have subsidiaries in the U.S. and Europe. The U.S. subsidiary would comply with U.S. government subpoenas and warrants for U.S. data but would not be able to comply with U.S. government subpoenas and warrants for Russian data.

Work with a systems integrator or local hosting partner to manage customer data

New technology trends, such as cloud native and Kubernetes, enable a partner to deploy and manage a software deployment on their own servers. With this mechanism, a systems integrator or local hosting provider can host your software on behalf of a customer. This may sound familiar to those that have been around IT for a while because it is very similar to a customer or partner running an on-premises version of your software. You provide the software, but you have no control or access to the servers running the software or the data within the servers. This type of deployment may not be suitable to your company as it requires a very modern software stack and deep technical support team. As the world’s data laws become increasingly fragmented, companies that store and manage regulated data need to seriously consider exactly under which jurisdictions they are storing data. International customers are making this part of their selection criteria.