Written by Mikel Pearce, Director of Business Development Canada & UK at CyberClan, and Louise José, Marketing Consultant
What is Data Residency?
Data residency refers to where, or in which country, an organization stores its data. This usually implies that a certain amount of data processing is done within a country’s borders, in accordance with the laws of that specific region.
There are various reasons why an organization may store its data in a certain region, such as:
Tax benefits – a business may want to take advantage of a beneficial tax environment offered by a particular government. In return, the business would need to ensure a significant part of its operations stays within the country’s borders. Since an important component of business operations concerns data storage, it may also choose to host its data in the country too.
Transparency – a business may want to include data residency in its company policy so customers are made aware of exactly where their data is being stored.
Financial and regulatory reasons – for a business, it may be cheaper to use a local data service provider, or even set up a data center in a specific country. Additionally, a government may have beneficial data protection laws for a business.
However, in recent years, there has been a marked increase in companies using cloud-based software and data centers to store their data. For this reason, it can be difficult to determine exactly where data is held and what laws are applied to different types of data.
Data, especially the personal data of clients and employees, is particularly valuable to Threat Actors and is often a valuable asset that Threat Actors will try to leverage in a ransomware attack. Knowing the exact location of your personal information is crucial to ensuring strong cyber security.
What Implications do Data Residency Laws Have on Your Data During an eDiscovery Investigation?
During an eDiscovery investigation, depending on the eDiscovery company, the data may be sent overseas for analysis. Here at CyberClan, we keep all data in the country it originates from.
This is particularly important for businesses operating in regulated industries, such as healthcare.
In addition to healthcare, many countries have laws regulating when data can be sent across international borders, and what kind of data can be stored internationally. Many countries restrict cross-border data storage, and often the governing bodies of various professions in a given country do so as well. As such, should you experience a data breach and need incident response services, or post-breach eDiscovery services, in our opinion, the best practice to follow in every case is to respect data sovereignty, in order to limit any additional risk of the data being breached a second time, especially after having been sent across an international border.
To learn more about data residency laws in your region, please see below.
Data Residency Per Region
Imagine your company has been hit by a ransomware attack, data has been exposed or exfiltrated (removed from your systems) and an eDiscovery investigation is now needed as part of the overall forensics… where does your data go during an eDiscovery investigation?
In Canada, data residency laws remain inconsistent nationwide. A few provinces have some form of data legislation, for example, with regard to public sector data, British Columbia and Nova Scotia require information to stay in Canada. In contrast, Ontario restricts only healthcare information.
Meanwhile, other provinces, and certain industries and professions, have voluntarily implemented data residency requirements, in anticipation of sudden legislative changes within their region.
There are no laws outside of the public sector that state Canadian companies must keep data within the country. But in some cases, private sector enterprises may choose to do so.
United States of America
In the US, the rules are more relaxed. Data sovereignty does not have anywhere like the traction in the US, that it does in jurisdictions like Europe and Canada
However, if you’re in a regulated industry, such as healthcare, the data does have to stay in the US under HIPAA (The Health Insurance Portability and Accountability Act of 1996).
HIPAA is associated with the privacy of patient healthcare information. Under HIPAA, the Department of Health and Human Services (HHS) outlines boundaries on the use and distribution of health records. HIPAA also defines safeguards to protect patients’ data and establishes penalties for the unauthorized access to or theft of information. This applies to hospitals, medical practices, chiropractors, dentists, nursing homes, pharmacies and psychologists.
HIPAA also governs the activity of business associates such as third-party administrators, pharmacy benefit managers for health plans, billing and transcription companies, and professionals performing legal, accounting, or administrative work.
HIPAA not only ensures data privacy, but also reduces fraudulent activity and has the potential to save providers billions of dollars per year.
In the UK, data protection is governed by the European Union, under a unified data protection law called the GDPR (General Data Protection Regulation).
The GDPR outlines rights around individuals’ personal data, such as:
The right to be informed
The right of access
The right of rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
The rights around automated decision making and profiling
While GDPR does not explicitly state data residency guidelines, it does encourage keeping all data within Europe.
Interestingly, there were also no data residency obligations under the GDPR’s predecessor, the Data Protection Directive (95/36/EC) and in fact, both the Directive and the GDPR establish methods for transferring data outside of the EU.
To find out more about CyberClan’s eDiscovery services and how we can help to reduce the time and cost associated with the exfiltration of personal information on your business, please contact us, please fill in the form below.