What InfoSec regulations should one be aware of when dealing with 'live' cross-border communications, or the offline transport of information?
Asked
Active
Viewed 247 times
3
-
It really depends where, can you be more specific about the locations? Or specifically cross-border? E.g. any EU laws are not "international" for europeans... – AviD Nov 22 '10 at 16:43
-
I don't have enough background to scope this question further(or know a consolidated place to refer to). With your point, I just learned about the EU datacenter laws for PII. This caught me off guard, and left me searching on how to properly round out my knowledge. – makerofthings7 Nov 22 '10 at 17:00
-
You should include more details about your physical location. In particular, at first blush, considering your profile location of "New York," it's not immediately obvious why EU PII laws apply to you. – Zian Choy Nov 23 '10 at 06:04
2 Answers
5
The world is increasingly interconnected, and it is more and more common that actions by people in one country can affect people in other countries and be regulated by laws there.
Here is a brief sampling of some of the issues to consider.
A security researcher from Russia was detained while visiting the US by authorities for distributing free copyright circumvention software. See http://en.wikipedia.org/wiki/Dmitry_Sklyarov
Web sites can have traffic from all over the world and laws in many different countries pertaining to privacy, copyright, libel, etc. may apply to the web site owners, operators and probably even contributors.
See e.g. http://en.wikipedia.org/wiki/Information_privacy and European Union Aiming To Create New Privacy Laws
Information considered a public service in one country can be seen by others as illegal. See e.g. the NPR story on Seeing The Internet As An 'Information Weapon' of which this is an excerpt:
[In 2009] Russia successfully sponsored an even sharper version of its cyber disarmament proposal at a summit of the Shanghai Cooperation Organization, which includes China and four Central Asian countries as well as Russia. The accord defined "information war," in part, as an effort by a state to undermine another's "political, economic, and social systems."
http://en.wikipedia.org/wiki/Shanghai_Cooperation_Organisation
nealmcb
- 20,544
- 6
- 69
- 116
2
@nealmcb gave some very good examples.
In general, since your question is quite vague, there are two types of laws that you need to consider when "going international":
- Local laws relevant to your destination (including regional laws, e.g. EU, and "state" laws)
- Laws of your origin country that relate to exporting your technology (e.g. the classic cryptography limitations from the U.S.).
As Neal mentioned, each of these laws may apply, depending on country/law:
- the country where your company is legally registered
- the country you are selling into
- the country where your technology is being developed
- the country where your users are located / citizens of
- the country where your web servers are physically located
- the country where your database is physically located
- the country/ies where your cloud provider may migrate your cloudy instance/s to (good luck with that one).
As mentioned, some of the big ones to know about, besides the non-country regulations such as PCI-DSS and depending on industry, are EU Data Protection, Basel II, and the Chinese Firewall.
If you ask a more targeted question, it may be easier to provide more specific answers.
AviD
- 72,138
- 22
- 136
- 218