The way offshore cloud-based storage providers deal with data breaches provides a valuable lesson to Australian organisations about the importance of keeping data onshore.
In late November, Amazon suffered its second major data breach in many months when customer names and email addresses were disclosed on its website due to a “technical issue”. The e-commerce and data hosting giant declined to reveal how many were affected or where they were based.
If such a breach occurred in Australia, it would be highly likely that as a minimum, it is disclosed to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme .
While the breach is specifically related to Amazon’s e-commerce site, it suggests Australian organisations should closely consider the local rules and regulations in the jurisdiction where data is hosted or backed up.
The growing importance of data sovereignty
Data sovereignty is not about how secure data is, but where it is located. That location determines which country or jurisdiction’s laws and regulations apply to the data.
This issue is gaining more attention as the power and risks of large amounts of data continue to grow. Australian-based infrastructure – adds a layer of complexity to cybersecurity. It can be amplified when data is held in a different place to its owners.
For example, David Irvine, head of the Foreign Investment Review Board (FIRB), has highlighted the agency’s growing focus on assessing data security in potential foreign acquisitions.
Where data resides matters – how much depends on the organisation in question.
Some of them are looking for more information on how to use these data banks outside of Australia, such as banks, insurers and superannuation funds; public sector entities; as well as medical and health care providers.
While the majority of these organisations are not responsible for their work, they are not responsible for their data.
The Australian Privacy Principles (APP), which applies to Australian Government Agencies and Organisations covered by the Privacy Act, specifically addresses how personal data held offshore should be treated.
Overseas-based organisations are expected to handle personal data according to the APP guidelines, however the Australian organisation is still responsible for any breaches committed.
Keeping data local matters to Australians
For many organisations, keeping data onshore simplifies data security, providing an extra layer of comfort to the board and executives, as well as customers. More than nine out of 10 people said they do not want their data overseas, according to the Australian Community Attitudes to Privacy Survey 2017. Organisations that ignore the concerns of their customers and other stakeholders do so at their peril.
Data sovereignty is a hot-button issue that prior to the 2016 Federal election. The Australian Labor Party Proposed new privacy provisions did would have forced businesses to publicly declare that they are hosting personal data in cloud offshore facilities and then obtain customer consent to do that. It is also proposed banning offshore data hosting in offshore jurisdictions where Australians’ rights are less than under Australian law.
The Labor Party’s proposals were not enacted after the Liberal Party was narrowly re-elected. It remains to be understood that the laws of the future are concerned.
Diligent is leading the pack
Diligent’s Australian servers are hosted at the state-of-the-art facilities owned and operated by Canberra Data Centers (CDC), which has been in business for more than a decade.
It is the only data center accredited by the Australian Government. Security at CDC facilities complies with ASIO-T4 security requirements (Zone 4) at a minimum level while the premises are patrolled by guards around the clock. The CDC can thus operate in ‘island mode’, using its on-site power generators to self-generate more than double the electricity it requires to run in the event of a main grid power failure.
More than 40 government departments and agencies, including the Department of Defense, their data at the CDC. Many are not compelled to do so on the Internet.
Some of these benefits are intangible. Onshore data hosts can offer first-hand knowledge of how to best meet local security certifications and the ability to stay ahead of any potential local requirements. The CDC facility at any time to see where their data is held is onshore data hosting.
But there are technical reasons that extend beyond security. Local hosting means is usually faster to download or access than offshore data, because it is located closer to home. Offshore data is typically located on the opposite side of the world. These can be important for those organisations accessing their data many times on a daily basis as a core component of their business.
When considering cloud-based solutions, it is important to read and write it. If your provider is not upfront about providing the details, perhaps their operations are more closely guarded than your data.
For best-in-class security combined with exceptional service and intuitive features, over 63% of the ASX 100 trust Diligent to provide governance technology solutions. To find out how it can benefit your business, contact us at firstname.lastname@example.org or request a demonstration .
January 29, 2021
Business Continuity Strategy: Options, Best Practice Approaches and Examples
There’s no shortage of things to consider when you’re upgrading your business continuity strategy. For instance: What should your plan cover? What are the critical inputs to the business continuity strategy? What are the different approaches and solutions available? What should the recovery strategies look like within your business…
September 7, 2020
Avoiding Cyber Confusion in the Board Room
It is imperative that Directors understand the cyber risks facing their companies and organisations. The increasingly complex internal and external landscape presents unique challenges for Boards. Several key steps can however significantly increase the cyber resilience of any company or organisation, irrespective of size. The article outlines five key steps…
August 20, 2020
Minimising the Risk of Virtual Meetings: 5 Practices Boards Should Avoid
Months into the COVID-19 lockdown, remote workers—and board members—have become more accustomed to virtual meetings. They’ve found a quiet place in the house, mastered the mute and camera buttons, and fully styled their background bookcases and “Zoom couture.” Yet as virtual work becomes a way of life, not all adaptive…