Many Canadian companies want to transition to the cloud for business data hosting or backup yet worry about data access and privacy. Keep reading to understand your obligations and risks.
What’s in a name?
There are several methods used by attackers to gain access to systems and their data.
What exactly is “The Cloud”? This may seem like an absurd question to ask, but the very nature of the term is still subject to gross misinformation and hyperbole.
Simply stated, the cloud is any storage or service that is provided and accessed over the internet as opposed to a local computer or server. When one uses the term “Cloud”, they’re really suggesting “over the Internet”.
The cloud is not one specific product or service and there are many examples such as:
Private Cloud: storage or resource hosted externally from your business but dedicated and managed solely by your company e.g.
- Virtual Private Server
- Amazon EC2
- Microsoft Azure
Public Cloud: storage or resource provided publicly by a provider with limited administrative features offered by the provider e.g.
- Google Drive
- OneDrive
- Dropbox
- Office 365
- Gmail
Backup Vendor: a storage subsystem devoted solely to the purpose of storing backups e.g.
- Storagecraft
- Intronis
- Barracuda
- Solarwinds
Why is this important?
Both public and private sector organizations must follow government laws affecting the storage and use of personal information.
Provincial governments also have privacy laws to protect customer data, particularly in health care. Storing data outside of Canada brings additional challenges, namely a new set of rules and regulations. Find out what affects data leaving the country, and how this impacts your organization.
PIPEDA, the Personal Information Protection and Electronic Documents Act, holds private organizations accountable for protecting information during transit and outsourcing. While information can sometimes cross borders, the Canadian business remains liable for any breaches.
Further to this, some Canadian provinces, such as Alberta, have their own – or additional – regulations that sectors must follow, and many professional bodies impose their own guidelines (e.g. The Canadian Bar Association, CPA Canada, and the global Payment Card Industry Security Standard) that must be adhered to.
Many of these governing bodies also stipulate how long data must be retained and in what form, the processes to be followed for recovering data from archives and how data must be encrypted. If you fail to accommodate these requirements within your data backup planning and implementation, you may, despite your best intentions, find yourself out of compliance and subject to consequences that could include fines, limitations on business activities, and damage to your corporate reputation.
Rules that affect data leaving Canada
PIPEDA mandates that organizations are responsible for personal information they’ve collected even when it’s being transferred to a third party.
The company is required to use “contractual or other means to provide a comparable level of protection while the information is being processed by a third party.”
To ensure your business complies with PIPEDA, let’s look at what this regulation really means:
- Transfer: When information is transferred for processing, it must only be used for the original purpose of collection (for instance, marketing).
- Comparable Level of Protection: The third-party processor must provide an equivalent level of protection the data would have received if it remained with the Canadian company.
- Transparency: The organization must be transparent about their practices handling personal information. Organizations must tell customers that their data is sent elsewhere for processing, and state that personal information sent to another jurisdiction may still be accessed by Canadian law enforcement, courts, or national security personnel.
The law also stipulates that a company must be forthright with its customers about how their data will be handled, including the chance that it may be stored within another jurisdiction.
Considerations for storing your data outside your jurisdiction
While the above rules seem clear, once your data is transferred outside of Canada, it becomes subject to the laws of the country in which it is stored.
If your data is stored on servers in the U.S., laws such as the Patriot Act, PRISM and CLOUD will apply to it, all of which allow authorities to access your sensitive data if they deem it necessary.
This type of breach happens more than one would think as many cloud backup providers store your data unencrypted or use the same encryption key for all data stored in their data centers. An investigation into someone else’s data may expose yours in the process.
If you use Canadian servers, it falls under Canada’s jurisdiction, and our laws regarding privacy arguably take better care of your sensitive data.
Since your company will be held liable for anything that happens to such data, one must assess any risks that could jeopardize the confidentiality and security of personally identifiable information once it’s released to an international cloud provider.
Companies in legal, medical, or financial markets should be particularly sensitive to data location, given their professional obligations to protect and maintain client privilege and the confidentiality of often critically sensitive data. Data security remains the obligation of the organization that has collected the personal information.
The bottom line
When it comes to data storage in the cloud, regulatory compliance is a critical factor for business of all sizes.
The takeaway
Regardless of what industry you’re in, there are a few universal recommendations:
- Store your backups and data within Canada
- Utilize end-to-end encryption using AES-256 ciphers
- Use user generated (unique) encryption keys – not ones shared with your data host
- Retain all backups for a minimum of 1 year
- Test the ability to restore your backups every quarter!
- Talk to your I.T. Provider to ensure that your data, your customer’s, and your company’s data is safe!