This page contains a Flash digital edition of a book.
n our borderless commercial environ- ment, companies need not only be aware of Canadian legislation, but the laws of countries in which they do busi- ness. Makes sense, doesn’t it? But how many realize that, regardless of whether they do business internation- ally or just within Canada, they also must be aware of where their data is stored, and the legal implications of that decision? A decision they may not even realize they have made. When The Uniting and Strengthening America by Providing Appropriate T quired to Intercept and Obstruct T


I


ools Re- errorism


Act of 2001, better known as the USA Pa- triot Act, came into being after the terrorist attacks on September 11, 2001, it granted U.S. law enforcement agencies broad powers to access data stored in the United States or accessible by American citizens. Even if an organization’s activities are solely within this country, this raises con- cerns that personal data about Canadian citizens — although it is supposedly pro- tected by privacy legislation, such as the Personal Information Protection and Elec- tronic Documents Act(PIPEDA) — are in fact subject to scrutiny if it is stored on servers housed in the United States. “The issue for Canadian businesses is that if they use American IT services, those providers are subject to American law (including the Patriot Act) the same way Canadian businesses are subject to Canadian law,” says Tracy Ann Kosa, doc- toral researcher, computer science at the University of Ontario Institute of Tech- nology (UOIT). “The problem is what hap- pens when Canadian law conflicts with American law; the Canadian privacy legis- lation, PIPEDA, has requirements for managing customer information that may conflict with Patriot Act requirements for American service providers acting as ven- dors for Canadian companies.” In addition, says independent analyst Carmi Levy, “any time a Canadian firm touches its U.S. customer base or supply chain in virtually any way, the resulting data that is either generated or trans- ported becomes subject to the terms of the U.S. Patriot Act. If it crosses American infrastructure, it can be monitored, inves- tigated and acted upon by American law enforcement agencies.”


WWW.SECURITYMATTERSMAG.COM


That doesn’t mean Canadian busi- nesses have to become paranoid. They do, however, need to be aware of their risks and of their responsibilities. Notes Claudiu Popa, president of Toronto-based Informatica Security, “It is extremely im- portant for Canadian businesses to be aware of two aspects pertaining to the trans-border flow of information:” • They are responsible for the adequate protection of the client information in their custody; and


• That information, when e-mailed, processed or backed up online, is likely to be transmitted through U.S.-based servers. This carries the potential for that sensitive client information to be accessible under the provisions of the Patriot Act. In reality, there’s nothing wrong with transferring data from Canada to U.S. servers in itself. In fact, in a 2007 speech at the International Security Managers As- sociation Conference, Jennifer Stoddart, Privacy Commissioner of Canada, pointed out that Canadian law does not prohibit foreign data storage, but it does place con- ditions on it.


“PIPEDA doesn’t limit trans-border data flows,” she said, “but it does require a company to inform customers that it may send their personal information out of the country and that while such information is out of the country, it is subject to the laws of the country in which it is held. The USA Patriot Act also affects Canadians’ personal information when it is outsourced to com- panies in the United States.”


This means, Kosa notes, that a com- pany’s privacy policy may need to be ad- justed. “If there is a risk to a Canadian customer that the American government may access their information from an American service provider under the Pa- triot Act, the Canadian company should inform customers of this risk in its privacy policy,” she says.


And what about the hottest trend in IT these days, cloud computing? Well, it adds a whole new dimension to the issue. “The problem with cloud-based solu- tions lies in their geographic disconnected- ness,” Levy explains. “When researching potential cloud-based options, it’s crucial for Canadian companies to challenge vendors to confirm precisely where data


centres and related infrastructure are lo- cated. Otherwise, there is no way to know which national legislation might apply.” Kosa concurs. “It makes it more impor- tant for business to understand what serv- ices are provided by whom, when sub-contractors will be used, and where they are located,” she says. “This should be outlined in a service level agreement. It’s important for a business to be aware of the intricacies of the privacy requirements from all applicable legislation, and build these re- quirements into contract agreements.” Customers also need to be aware that their data may be stored or transmitted outside Canada, Popa adds, and should be educated about potential risks so they can make informed decisions. “Businesses,” he suggests, “wishing to keep information away from the potentially prying eyes of the U.S. government may wish to review options for encryption and for exchanging information outside U.S. jurisdiction.”


That may be easier said than done,


however. Popa notes that most online in- teraction, both business and personal, is routed through U.S. servers and data cen- tres, where it may be retained. Levy agrees. Despite best efforts, it may not be possible to ensure that confidential data remains within Canadian borders. “Where things get murky is in the in- creasing interconnectedness of the IT world that underpins Canadian business,” he says. “Growing reliance on third-party providers for the kind of mundane, everyday services that were once the exclusive do- main of in-house IT means Canadian busi- nesses could unwittingly find themselves handing over confidential information to U.S. law enforcement agencies. This form of inadvertent exposure could spell trouble for companies that fail to understand the complexity of their data environment.”


Lynn Greiner is a freelance writer in Newmarket, Ont.


SOURCES


Informatica Security • www.informaticasecurity.com Privacy Commissioner of Canada • www.priv.gc.ca UOIT • www.uoit.ca


FOLLOW US ON


AND


• SECURITY MATTERS 25


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40
Produced with Yudu - www.yudu.com