Many businesses are moving, or have moved, their data to one of the various cloud servicing companies, like the Google Cloud Platform, Amazon Web Services, Apple iCloud, and Microsoft Cloud. Depending on which cloud service provider you use, your data could be segmented and stored on a number of different servers in the United States, Belgium, China, Singapore, and other countries. Anyone caught hacking a server in the United States has violated criminal and civil anti-hacking statutes, and can be looking at hefty fines and prison time. But what happens if a hacker in Russia attacks a server farm in Taiwan, and unlawfully accesses your data stored there? American laws do not apply to deter or punish those activities. Instead, one must rely on local authorities in those countries to enforce their own anti-hacking statutes, assuming such laws exist.
Of the various cloud services, the Google Cloud Platform seems to be the most transparent. Google stores data in what it calls bucket locations, or server farms, in the United States, Canada, the European Union, Asia and/or Australia.[1] The Canadian server farms are in Montreal; the European Union servers are in Belgium, London, Frankfurt, and the Netherlands; the Asian servers are in Taiwan, Tokyo, Mumbai, and Singapore; and in Australia, the servers are in Sydney.
Microsoft, on the other hand, does not publish where its servers are located, citing security concerns. If you use Microsoft to store or backup data, your data could be anywhere.
Just because Google is transparent about the location of its server farms does not mean your data is safer. Likewise, the mere fact that Microsoft keeps the location of server farms “secret” does not mean your data is any more (or less) at risk. In situations where the hacker and the server farm are located outside the United States, the hacker is not subject to American jurisdiction.
Other questions concerning third party data hosting arise, such as whether the server farm is owned by the hosting company (i.e., Google, Amazon or Microsoft) or whether the hosting company uses third-party contractors in foreign countries to store data. It is quite possible that a Taiwanese-based company owns the server farm. In this situation, the hosting company has entered into a contract with the Taiwanese entity to use its servers. The agreement between the hosting company and the Taiwanese-based contractor likely has many provisions dedicated to security standards and protocols. Or, at least, it should have those provisions. The typical small business will never know.
So, it’s 10:00 PM, and now you know where your data is: Scattered across numerous servers from South Carolina to Taiwan with some of it probably residing on servers owned by a foreign company operating under a contract with your name-brand cloud hosting company. Feel better now?
To address these issues, our attorneys offer data management legal services. Contact our team for more information today.
[1] https://cloud.google.com/storage/docs/bucket-locations