Most, but not all, of the world’s leading cloud providers — Salesforce, Amazon, Google, Rackspace, et al. — are hosted in the United States. This means that data contained in U.S.-hosted clouds is subject to U.S. laws governing security and privacy, which further means that the laws of the United States govern the data used by your foreign subsidiaries hosted in U.S. clouds, and it applies to their clients and customers as well.
Essentially, data is subject to the laws of the legal jurisdiction in which the cloud that hosts it is located, wherever that may be at any given time. Call it data sovereignty.
CFOs whose businesses use cloud systems across their overseas subsidiaries need to be aware of the legal and regulatory frameworks of each of the countries in which their subsidiaries operate. CFOs should also be concerned about the fact that, in the cloud, data may move swiftly across a number of international legal jurisdictions as providers distribute workloads in an attempt to optimize the capacity and efficiency of their servers, and each jurisdiction the data visits may bring with it varying compliance requirements.
The Story of A, B, and C
Take customer privacy. Having data from Country A, for example, residing in Country B can expose your businesses to liabilities under Country B’s laws. Some of these penalties can be severe, ranging from fines to the revocation of a trading license. Therefore, your subsidiary in Country A needs to do an assessment to see whether it’s using or storing any personal, business-sensitive, or other types of data in Country B that’s not being handled in ways approved by Country B’s laws. You may be fine under Country A’s laws, but noncompliant in Country B.
Further complications can arise when foreign clients of your foreign subsidiaries store their data on your U.S. system, which could mean they’re fine under U.S. law but noncompliant with wherever they’re based overseas. Moreover, these clients may have contracts with your foreign subsidiary that contain specific data protection and residency conditions. For example, should your foreign subsidiary in Country C have a major contract with a government agency (for example, the Defense Department), there could be contractual obligations to ensure that this data never leaves Country C. Your subsidiary would be in breach of its contract if this data (or any piece of it) turned up in a cloud system’s data center in Country A or Country B. This could be a show-stopper for your subsidiary.
Managing the Compliance Maze
While the potential cost benefits for implementing a global and standardized cloud system across all your overseas operations can be compelling, the risks of managing the maze of compliance and cross-border legislative jurisdictions should not be ignored. The cost and effort of implementing the governance required to determine compliance in all jurisdictions should be included in the business case for the roll-out of a cloud infrastructure or application.
Even though you may feel that using the cloud to run your systems simplifies and decreases the cost of your IT deployments, remember that the underlying databases and files still end up being stored on servers, hard disks, and other computer systems in a data center somewhere on planet Earth. And keep in mind that the laws of the country where those servers and hard disks live would then apply to you.
Even when global cloud providers operate a number of international data centers and offer customers the choice of which data center they wish to use, this still doesn’t solve the problem. For example, Amazon clients can choose to use Amazon’s Singapore data center. And that’s terrific for your Singapore subsidiary, which now knows it will be compliant with Singapore regulations. But what about your Australian subsidiary subject to Australian data-residency legislation? Hosting its data in Singapore will require a measure of sophisticated contractual legerdemain.
So CFOs need to know how to conduct an audit of the cloud infrastructure, as well as where, how, and in what manner the data (and the systems that access and manipulate it) is being managed.
To mitigate some of these jurisdictional limitations, bilateral and multilateral agreements are being constructed between governments, facilitated by some of the major cloud vendors, to allow adherence to common operating standards. However, these have not been adopted universally, and one would be ill-advised to hold one’s breath until they are.
CFOs need to be fully aware of these and other due diligence and compliance considerations before allowing their organizations to commit to deploying global cloud systems. They have the potential to add cost and complexity, and impose governance limitations on your systems. Be informed, and then make the smart decisions that are appropriate for your business regarding a global cloud deployment. This is another situation in which an ounce of prevention is well worth the investment before that pound of cure is required.
Rob Livingstone, an experienced CIO, is the author of the book Navigating through the Cloud: A Plain English Guide to Surviving the Risks, Costs and Governance Pitfalls of Cloud Computing. Visit Rob at www.navigatingthroughthecloud.com or e-mail him at firstname.lastname@example.org.