Beware – Your Sensitive Data May be Copied during Migrations
Many companies are moving their email, file systems, data archives, basically all of their unstructured data to the cloud for cost savings, increased security, and ease of access. Finding the right data migration vendor with the correct capabilities and technology to ensure the migration goes off without a hitch is important to make sure the project adheres to deadline, avoids employee disruption, creates a full audit of the migration process, and ensures the data migration is legally defensible. Likely, the last thing you are thinking about is whether your migration vendor has duplicated your or your customer’s data for ulterior purposes.
It's your data, not theirs
An assumption many migration customers make is that their data will not be copied during the migration and kept in an unknown repository for an indeterminate amount of time without your knowledge and approval. In many cases, this is precisely what happens with some migration vendors-your data is stored in the migration vendor’s on premise servers or cloud subscription as it is readied (“staged”) for migration. This means the migration or cloud vendor copies your data (including metadata such as audit logs, user IP addresses, names, email addresses, user activity, telephone numbers, etc.) and could use your misappropriated data for other purposes without your knowledge and approval long after the migration is completed. In many cases, this third- party use of your data is contained within the ISP user agreement between it and the migration vendor.
Legal and regulatory risk
If the migration vendor does copy your data or stages data it on its own server or a third-party server, it places your company in jeopardy during litigation and regulatory inquiries.
For example, during eDiscovery searches, a responding party must search all potential data repositories for relevant data and disclose such repositories. Imagine when responding to a discovery request, data/metadata that you could not find in your data repositories was actually in the migration vendor’s possession but you had certified it did not exist? Competent eDiscovery litigators familiar with data migration practices will subpoena the migration vendor and possibly discover this data actually existed and that you had not searched these databases. At that point, you would be facing spoliation claims, discovery obligation failures, adverse inferences and potential exposure arising from hiding discoverable material with the attendant penalties, fines, and counsel fees.
This can also occur with regulatory compliance requirements. Many countries continue to adopt new personally identifiable information (PII) regulations that protect an individual’s data when collected and held by companies. A long established example of this in the U.S. is the SEC and FINRA regulations for the Financial Industry. Two important SEC regulations that could cause issues with the migration practice of copying and retaining certain types of customer data is the SEC Rule 17 requirement that all broker/trader communications (including all metadata be stored on immutable storage.
The second problem area is Section 504 of the Gramm-Leach-Bliley Act. Section 504 requires the Commission and other federal agencies to adopt rules implementing notice requirements and restrictions on a financial institution's ability to disclose nonpublic personal information about consumers. Under the Act, a financial institution must provide its customers with a notice of its privacy policies and practices, and must not disclose nonpublic personal information about a consumer to non-affiliated third parties unless the institution provides certain information to the consumer and the consumer has not elected to opt out of the disclosure. The Act also requires the Commission to establish for financial institutions appropriate standards to protect customer information.
A new ground breaking regulation coming into effect in 2018 is the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR is a law by which the European Parliament, the Council of the European Union, and the European Commission created to strengthen and unify data protection for all individuals within the EU.
For the GDPR, personal data is defined as any information related to a person that can be used to identify the person, including a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. This includes metadata that can be used to identify an individual. Violating this regulation can be extremely costly. In fact organizations can be fined up to 4% of annual global revenue for breaching GDPR, or €20 Million, whichever is greatest.
The issue companies would have with GDPR compliance is the fact that the company must be able to quickly respond to an individual’s request for a complete report on what data is retained and how it’s being used. If all, or parts of the individual’s data is held in an unknown third-party repository, the individual will not receive a comprehensive report putting the original company (data collector), a third party processing or storing the data (data processor), and any other data intermediaries, including migration vendors, if they are in possession of personal data.
The bottom line is that if an EU citizen asks the company (data collector) for a report of all personal data held by the company, and determines they would like it all destroyed, the data collector would not be able to destroy all of requested personal data because of the data held by the migration vendor. This would put both in jeopardy of huge fines and penalties.
The Atlantic is no protection
The GDPR not only applies to organizations located within the EU but also applies to organizations outside of the EU if they collect data, or monitor the behavior of, EU citizens. It also addresses the export of personal data outside the EU.
Don’t assume - verify
An interesting test would be to ask the migration vendor for their standard services contract to see if this practice is mentioned and if not, ask if they do in fact capture and retain customer’s data (or metadata) and if so, why they do - and why its not spelled-out in the contract or the marketing/sales collateral. This omission should be be a huge red light.
To ensure against this practice, you should ask the vendor the following questions:
- Do you copy your customer’s data to your own servers or cloud accounts?
- What is the reason for this?
- How long is the data kept?
- Who has access to it?
- If customer data is copied to your servers or cloud account, do you make this information available ahead of time, i.e. include it in the contract?
- Do your customers have visibility into your servers while their data is stored there?
- Are your customers able to verify the use of their data by audit trail while staged on your server?
- Do you provide the physical address of where you stage your customers’ data?
- Do you provide a detailed list of where the data is stored, such as databases, local cache files, public or private cloud infrastructure, applications, etc.?
- Is your customer data or metadata copied to external ISP providers such as AWS or other external/non-customer controlled systems?
- Do you provide evidence on how data is secured, what encryption method is used, who has access to the encryption keys, and how the data is encrypted and decrypted?
- Are there access controls?
- Is the data continuously audited and reportable? Can you supply evidence on data access and possible manipulation?
- What control processes are in place for internal and external users?
- What third party certifications are in place to attest to the integrity of said control processes?
If your data migration vendor cannot or will not answer these questions to your satisfaction, then you should run for the hills!
In reality, your migration vendor should be willing to provide you with full technical details on how your data will be moved, audited, and protected, and if copies are made and why. If the vendor contract does not specify that your data is never copied and retained on one of their assets, then you should write it in, just to make sure. If they don’t copy your data to their devices, they should not have an issue agreeing to the contract change.
Clean data migration with FastCollect
Archive360’s FastCollect migration solutions operate at the object-level to find, collect and migrate all your archived information, including metadata and stubs in a legally defensible manner. FastCollect enables you to seamlessly migrate your data in a matter of hours and days, rather than weeks or months. And FastCollect NEVER copies your data to our servers or cloud so you can rest assured that your data is only stored in your protected repositories. To find out more about FastCollect, you can download the FastCollect data sheets. Additional resources can be viewed here.
To request a demo, please click here.
For additional information on FastCollect, you can check out these related blogs: