September 21, 2014
The unanswered question of whether the US Government can access your email stored in a non-US location took a new twist on Thursday with the introduction of new legislation that attempts to limit that access - http://www.hatch.senate.gov/public/_cache/files/1f3692d5-f41f-4c73-acf2-063c61da366f/LEADS%20Act,%20September%2018,%202014.pdf
The bi-partisan Senate bill, called the Law Enforcement Access to Data Stored Abroad (LEADS) Act, would amend the woefully outdated Stored Communications Act of 1986, would require that courts issue warrants when requesting content from service providers for both US and foreign citizens when data is stored in the US - or to notify users directly if a warrant is not issued. As significantly, it calls for warrants for data of US citizens stored abroad to be modified or vacated if found to violate the laws of a foreign country.
Not surprisingly, the Act was quickly applauded by Microsoft's General Counsel Brad Smith (http://blogs.microsoft.com/on-the-issues/2014/09/18/new-milestone-conversation-electronic-privacy-laws/), who stated:
“It is important that government demands for customer data comply with the laws of countries where the data are stored. And these laws must provide adequate legal protections for the privacy and human rights of users”
If enacted, the Act would apply only to data of US citizens - with warrants for non-US data of non-US citizens continuing to be addressed by the Mutual Legal Assistance Treaties (MLATs).
The LEADs Act would provide a big step forward in transparency by requiring warrants for data stored in the US ("warrant for content"), and in creating more uniform guidance for US citizen data stored abroad in light of data privacy mandates in those jurisdictions. However, its passage would accompanied by complications including;
- The ability to quickly and accurately identify nationality and status of end user data
- Reaction from foreign governments to processes that can be used by the US government to collect their citizen's data stored in the US
- The potential impact on new data locality requirements
- The unequal processes for US citizens and foreign nationals, in particular in light of a slow and inefficient MLAT system
These complications- along with the simple challenge of determining the location of data stored by a cloud provider utilizing a multi-tenant storage model - will no doubt be thoroughly debated as the LEADs Act makes its way through congress.
However, in light of LEAD Act, organizations evaluating cloud providers now are well served to:
- Determine if the cloud provider has the ability to store data exclusively in the jurisdiction of your choosing
- Prioritize cloud providers that do not have readable access to information through the separation and client control of encryption keys
- Investigate policy management capabilities, in particular the ability to provide role-based access privileges to limit access to regional data to those with knowledge of data privacy mandates in those regions
Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.