Data Security and Regulations
With the exception of data protection legislation in the European Union, few if any formal regulations limit the movement of business-critical or sensitive data to offshore locations. To comply and ensure the ebb and flow of money across the Atlantic, U.S. companies practice self-regulatory measures via Safe Harbor standards, but only for EU transactions involving personal data.
These measures represent the first steps toward formal data privacy governance on an international level. However, the scope and associated impacts don’t apply to IT offshoring hotbeds such as India and China. And still, the data security industry buzzes with examples that include such headlines as: “U.S. customer social security numbers going for $5 on the street in Mumbai,” resulting from production data moving offshore for testing purposes.
The bottom Line? Domestic data privacy laws and regulations are not enforceable in a foreign jurisdiction. Unless the hosting country has equivalent laws, regulations, and commitment for enforcement, you should plan on a rigorous examination of the offshore security policy, procedure, and technical controls.
A recent analysis by the U.S. Federal Deposit Insurance Corporation (FDIC) concluded that formal data privacy policy and governance is practically non-existent in most, if not all offshore hotbeds. The report states, “… none of the countries currently have privacy laws equivalent to those of the European Union or the United States”.
That said, changes are afoot with India recently announcing the creation of a data security watchdog agency, associated with NASSCOM (National Association of Software and Services Companies). This non-governmental organization will publish and promote best practices for IT security, but there are no indications of formal regulation and governance by the government.
While many debate that this offers companies no more than “warm and fuzzies” with respect to data security, it does lay groundwork for Indian offshore service providers to set up stringent auditing and management capabilities for data security.
Nonetheless, governing data security is a monumental task if the data and supporting systems are physically located offsite. As a result, until these laws become more widespread and enforceable a more realistic scenario will see companies adopt the interim “half-way-house” model, resulting in the retention of IT infrastructure and data, but outsourcing the maintenance and management.
Essentially the policies, procedures, and powers of the free market govern offshore data security instead of formal regulations. And these regulations still depend on well managed policies and procedures as seen in the onslaught of U.S. domestic customer data theft and loss cases of the last several years.