7

I work for a head hunting company with offices in Canada and Asia. We migrated our custom built CRM system from our own servers hosted in Japan to an Amazon hosting service meaning that all our data is now held on Amazon servers in the US.

Data includes names, dates of birth, contact details, current and previous places of work, current and previous salary, full resumes, notes on information learned from candidates that could be anything from domestic issues preventing them from changing job to confidential insights into their current employer. Basically everything you would need to perform identity theft, limited corporate espionage or in some cases blackmail. Although I do not have the exact number, it is between a quarter and half a million records in varying states of completion.

If relevant, all connections from users are via IP filtered HTTPS. The developers connect by the standard Amazon SSH policy. SNMP and NRPE are also accessible but again IP filtered. The database is not encrypted and the server instance is replicated (files and database) in plain text to another server instance on the same local Amazon subnet.

When in Japan, all the data fell under Japanese law which we were able to cover. However, without a corporate entity in the US, I have no idea what if any laws, standards or audits we are meant to be following with regards to data security. Would it be US laws/standards as the CRM and data are now in the US? Canadian laws/standards as that is the nearest entity and that office actually maintains the CRM system? Japanese law/standards as the Japan office is the biggest and has generated the majority of the data? Some international laws/standards I am unaware of?

If possible, can you please provide links to the relevant information/standards/professional bodies in your answers? I am more than happy to do the footwork if you can point me in the right direction.

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
Nicholas Adams
  • 179
  • 1
  • I'm not a lawyer but i would think that any responsibility to comply with any standard/law is upon Amazon. Not you...still EUA is not know for respecting privacy so i strong suggest you to encrypt your database – Freedo Jul 15 '15 at 02:46
  • Duly noted, thanks @Freedom. This is also a grey area for us. As our CRM is a custom built product, if our CRM code is full of security holes, I think that Amazon should be immune. However, if Amazon is compromised and our data is leaked, then I believe that Amazon should be liable. In both situations, I am still not sure what jurisdiction who would be liable under. I would guess Amazon under US law but then my employer would be liable under US, Canadian or Japanese law? That said, this is not another question, I am still looking for which standards we should be abiding by. – Nicholas Adams Jul 15 '15 at 03:06
  • Do your employers work in US using servers located inside US? If not, the US law does not matter. If your employer is outside US then its outside US laws anyway...but when i said US is not know for respecting privacy i mean **really**, your database could be stored in a NSA server by now...but lets see what other people here have to say about this...like i said i'm not a lawyer...just a control-privacy freak ^^ – Freedo Jul 15 '15 at 03:12
  • And one more advice: how long do you plan to keep this database? 10 years? 20 years ? If is a custom code you need people maintaining it, looking for holes and this only get harder the bigger the code. I know that by now the time and cost to upgrade can be a no-go but you may find this alternatives useful : https://opensource.com/business/14/7/top-5-open-source-crm-tools If you use a open source CRM you know that are people maintaining it, upgrading it, fixing security patches. And if you want badly a functionality you can add it yourself – Freedo Jul 15 '15 at 03:24
  • Thanks for the fast response @Freedom. The only assets we have in the US are the Amazon servers. We have no staff or offices there, not even a registered presence. Head office and CRM development is in Canada whereas Japan, China, Singapore and the Philippines merely have offices. The database itself transitioned to v3 last summer following 1 year of development involving a near complete re-write and change of the database engine. It is at least 10 years old and will probably continue for at least another 10. – Nicholas Adams Jul 15 '15 at 03:28
  • 5
    I think that it would be quite prudent to seek legal advice in each of the jurisdictions in which you have a corporate presence, particularly so if respondents reside in the same region. For example, Australia (where I am) has strict privacy legislation that explicitly deals with transborder flows of data collected from Australians by Australians, including continued exposure mitigation in such circumstances. Beyond legislative requirements, and as @Freedom has pointed out, at-rest encryption would be a very wise move. – Arran Schlosberg Jul 15 '15 at 07:28
  • I would believe that you must abide by any laws a U.S. based firm would, and will probably be held to the same standards of privacy and security – Chad Baxter Jan 12 '16 at 19:24

2 Answers2

2

I'd think that you don't have to cover US privacy law if you don't have US customers or operate in the US.

However, you will probably have to conform to the privacy laws of the country or countries you are residing and/or operating in.

You'll basically have to figure out if your Japanese law allow your data to be stored outside your borders, and by a vendor who can potentially be forced by US law enforcement agencies to surrender your data.

Most often there is no easy answer to this, so if it's important I'd suggest that you find a local lawyer and talk it over with him.

averell
  • 1,083
  • 7
  • 10
0

In Canadian privacy regulation, public bodies are not able to transfer or store PII of citizens outside of Canadian borders (it should cross border, because data exchanged to US can be monitored). Therefore, none of government or crown organizations in Canada use AWS for any purpose. The restriction is so strict that apparently Microsoft is planning to open up a data center for Azure cloud service to help Canadian organizations move to cloud.

On the other hand, private sector does not have such restrictions in Canada, and they can and do migrate to AWS knowing the data ultimately reside on a server inside the US border.

For Japan, you got to check with Japaneses privacy laws, but I doubt private sector would face any restriction where they want to store their data.

Goli E
  • 895
  • 1
  • 11
  • 20