Since the Patriot Act of 2001, US companies have been required to disclose data at the request of the US authorities. With the CLOUD Act of 2018, the US authorities now also seek access to foreign servers.
Die Welt recently headlines “US company buys Dax corporations data vault”1. Numerous Swiss companies also rely on the Munich-based software house's solution for the exchange of sensitive information for the board of directors and management. These companies are facing a delicate privacy risk now: potential access to confidential and strategic data by US authorities.
The takeover of the German provider Brainloop by the US software provider Diligent comes as a surprise and causes tension in the market, as the German company thereby loses its data protection sovereignty2. The acquisition could create a delicate situation in Europe. According to an EY study from 2018 on board of directors' digitisation, around half of the study participants regularly deal with topics regarding cybersecurity, data leakage, data protection and data sovereignty. In the lights of this recent acquisition, it becomes even more important to undergo a serious examination of the new ownership structure and the challenges associated with having an American company as the owner.
Brainloop advertises that their customer's data is located exclusively in local data centers in Germany or Switzerland. Which organisational changes will result from the announced acquisition of Brainloop by Diligent are still yet to be seen. It is clear that the US authorities can use the CLOUD Act “Clarifying Lawful Overseas Use of Data Act“ to gain access to foreign servers and, thus data.
The big cloud providers Amazon, Google and Microsoft with Azure are causing more and more concerns at different levels. Even with a hosting outside the US, the question now arises: which provider holds the data and who has access to it through their ownership structure?
Recent proceedings against Microsoft show the efforts of the US authorities to gain access to and control of cloud providers. Although Microsoft announced a partial victory in April 2018, recently, a new trial was resumed under the new regulations3.
For companies that need to comply with the E.U. GDPR (The General Data Protection Regulation), the new US legislation raises additional compliance issues. The CLOUD Act, which requires US companies to provide access to data even if the local foreign laws prohibit it, creates an international conflict of applicable law. The effects of this legal dispute are still difficult to estimate at the moment, and should by no means be ignored.
Even under Swiss law, the outsourcing of data abroad leads to increased risks and additional expenses. For example, outsourcing for banks and insurers is regulated in detail by FINMA (The Swiss Financial Market Supervisory Authority). Data may only be relocated abroad if the company can expressly assure that its auditing company and FINMA can exercise and enforce their rights of inspection and enforcement4.
As a Swiss company, Sherpany provides exclusively cloud hosting in highly secure data centers in Switzerland. In addition, Sherpany offers its customers a dual strategy by combining the benefits of a private cloud with data storage at the company itself. Sherpany is ISO 27001 certified, has an ISAE 3000 certification (type 2) and is compliant with outsourcing regulations according to FINMA.
Visit Insights and Resources for more information on security.