Is the Patriot Act really something to worry about when outsourcing?

I was at a meeting yesterday with executives from a few really big finance firms in Europe

They were talking about a service they use that provides board members with the documents they need to prepare for board meetings. Here is the story.

The supplier Diligent, is a US firm, but because of the Patriots Act its customers don’t want data stored in the US. As a result it keeps the information on servers in Canada.

The Patriot Act basically means that information stored on servers in the US can be accessed by the government if it requires. Obviously confidential data is confidential and businesses will not want their data to come under the prying eyes of the US government.
A couple of years ago one of my contacts believed the Patriot Act would have a huge impact on the outsourcing sector in the US. I haven’t seen much but a couple of meeting I have had recently have mentioned it.

But is it really that much of a worry? I mean any sovereign state could introduce a similar law if it wanted, so nowhere would be safe. And US datacentres are pretty secure and less risky than those in unstable countries. So the risks of the US government spying on you have to be balanced with other factors such as political stability and the threat of theft or attack.

In today’s IT world a huge amount of information is either stored or backed up offshore. “In fact, the actual impact of the Patriot Act in [the] cloud context is negligible,” according to this article.

I was hoping to get feedback on this blog so please comment.

Enhanced by Zemanta

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

This story is not new - when Burnt Oak realised the awesome power the Home Land security people have to use the Patriot Act we broadcast it loud and proud. Nobody listened except the French. The French government led the way and in France you will sense real anger over this world domination approach from the Americans.

Any US company is compelled under the act to supply any and all requests for data and are bound by law to NOT inform the "victim"

The world's largest outsourcing vendors are ... American and in bidding for new work use carefully worded scripts to avoid any EU client feeling discomfort.But facts are facts - any company using a US based service provider is more susceptible to state intrusion than the equivalent state sponsored espionage of the Russians and especially the Chinese.

Cloud - where is cloud if people finally wake up to the Patriot act. "Oh my data is specified to in the UK or EU only" - wake up bonzo, go read the act and see that that does not apply - any US company must by law comply with the law. Where the data is - is academic

It's not just the Patriot Act. When UK government departments are planning to outsource data management to places like India, our data becomes subject to voluntary agreements with service providers to ensure appropriate levels of security, rather than any mandatory rules governing data security within the EU.

In any case, many cloud providers already include clauses in their T&Cs to the effect that they apply US "Safe Harbor" regulations, wherever the data is stored, which exposes data to the Patriot Act in the same way.

Meanwhile, private sector companies are already making a mockery of EU data regulation. Many recruitment agencies explicitly state that when you apply for a job, your personal data may be moved outside the EU where it will not be subject to EU data regulations, or they may apply the US Safe Harbor rules. If you want the job, you have to consent to this, as they have you over a barrel.

The Patriot Act is a show-stopper if you are handling the confidential information of those who manage sovereigh wealth funds, are planning major co-operation with Brazil, China or India (let alone Russia) or who work in high security roles for HMG (e.g. employees of GCHQ). It is also the elephant in the room with regard to the Communications Data bill.