In the past two years we’ve witnessed various events that have had an impact on the open character of the Internet. In October 2015 European Net Neutrality rules were published, providing guidelines for regulation, but they were criticized by many as being too open and leaving too much room for uncompetitive behavior (here’s an example). In June 2015 the FCC published its US Open Internet order along the line of “no blocking, no throttling, no paid prioritization”, driving a significant change in the IP Interconnection landscape especially. In parallel, we saw ongoing consolidation on the side of the ISPs, with large ones absorbing their smaller competitors or other players in the digital value chain (e.g. cloud hosting services, “Over-The-Top” – OTT – video services) or even merging with mobile providers. Another trend we saw was the launch of services for which the related Internet traffic is not counted towards the “monthly data budget” of the customer, typically referred to as “zero rating”.
Organizations are increasingly dependent on their digital infrastructure. At the same time, these organizations seem to be more vulnerable than ever as cyber criminals’ techniques become more and more sophisticated. So how can you handle this situation? In other words: how do you become a secure online organization?
This was one of the topics discussed by Dell and LeaseWeb customers during a roundtable discussion about security. IT security specialist and journalist Brenno de Winter provided interesting insights in his introduction: “If your company wants to be a secure organization, you have to manage risks. There are four options when dealing with risks: accepting them, reducing them through security measures, avoiding risks by ceasing certain activities, or to partially outsource risk management to a third party. There are also affordable insurance policies against hacks available which are worth considering. But no matter what you do, make sure you have a risk management strategy in place, supported by tools that identity the security risks of your organization.”
“Should we keep IT security in-house or is it better to outsource?” This has long been a thorny issue for organizations. Recently, it was one of the most important topics during a LeaseWeb Security Round Table with customers and I’d like to share some of the things I learned.
The discussion immediately took off following a statement from one of the participants, an end user: “In the Netherlands, the mantra is to focus on your core business. I dare to differ. I always learned that when operations are critical to your organization, you should keep them close. If security is critical to your company, why outsource it? If you outsource, you disconnect it from your company. What do you think about this?”
On January 1, 2016, the new Dutch Law on Data Breach Notifications came into effect. Organizations – both companies and government agencies – are now required to immediately report any serious data breach to the Dutch Data Protection Authority (Authoriteit Persoonsgegevens). And, if it is likely that the data breach will have an adverse effect on the privacy of those involved, those people have to be informed as well.
A data breach is defined as the act of accessing, deleting, modifying or releasing personal data, committed unintentionally by the organization. Not only releasing (e.g. leaking) personal data, but also the illegal processing of data, will be seen as a data breach. Examples of data breaches are a lost USB stick containing personal data, a stolen smartphone or malicious access to a database by a hacker.
In October last year, the US Safe Harbor regime was invalidated by Europe’s Court of Justice, meaning that personal data of Europeans could no longer be transferred by a company to US companies solely on the basis of such companies being Safe Harbor-certified.
At the time of the ruling, no replacement for the Safe Harbor principle was proposed. The European Commission gave itself a 3-months term to come up with an alternative solution, working towards January 31, 2016. It is not likely that this timeline will be met but we expect new developments to be made public in the coming weeks.
When doing business, you want to be able to trust your partners. In modern days, this means that every partner in the supply chain needs to implement a unified compliance approach to ensure the entire chain is certified. This can be a time and energy-consuming task however, which is not part of a company’s core business. For not only do you need to re-evaluate and adjust your processes to gain the certifications, the necessary audits can be costly as well.
It is good to know that there is an easy way out: look for an infrastructure partner that can provide you with compliance, including all necessary legal requirements, and incorporate third party controls and processes seamlessly into your own governance framework. See quickly and clearly all your security measures and be 100% sure that the necessary tools, control and processes are in place to cancel out continuity risks. Without affecting the operational efficiency of your business.
“The Court of Justice declares that the Commission’s U.S. Safe Harbour Decision is invalid.”
The Safe Harbour arrangement has been in place since 2000. It was formalized by the European Commission’s Safe Harbour Decision (2000/520/EC), and permitted the transfer of personal data of
Europeans to the U.S., to companies that are self-certified under the Safe Harbor Privacy Principles
and registered with the U.S. Department of Commerce.
Last Tuesday, in a landmark judgment, the European Court of Justice – Europe’s highest court – declared the Safe Harbour Decision invalid. At present, it is not yet fully clear what the consequences will be of this judgment of the ECJ. What is clear, however, is that data should no longer be transferred to U.S. organizations solely on the basis they are Safe Harbour-certified. Companies that transfer personal data from the EU to the U.S., or rely on the processing of personal data in the U.S., will need to review their data flows for compliance with EU data protection law. They will likely need to consider alternative cross-border transfer solutions, e.g. by applying binding corporate rules, EU model contract clauses and/or obtaining individual persons’ consent for the transfer of their data. That operation will be time consuming and expensive. All this could potentially have serious implications for cloud hosting providers and their customers, who are suddenly faced with data residency issues.
EU court strikes down trans-Atlantic ‘safe harbor’ data-transfer pact. Decision will affect around 4,500 companies. http://t.co/Xn4TxivBAz
— Wall Street Journal (@WSJ) 6 oktober 2015