Ten years ago finance directors were concerned over data protection laws when outsourcing to destinations outside the European Union such as India.
What would be their legal rights if there was a security breach? Who would be liable and ultimately pays if things went wrong?
Today those same concerns, labelled ludicrous by technology sympathisers, have resurfaced.
This time the focus is on using online software, where the data is stored abroad. Previously, outsourcing concerns focused on where data was used, as opposed to kept.
When using online software, known as cloud computing, business information is held in various data centres around the world.
SMEs, in particular, are concerned over this development. They are unsure of how data protection laws apply to them if the information is held in centres outside the EU. Many are unable to afford legal advice on jurisdictions outside this vicinity.
The EU is streamlined so data protection laws are more or less the same across member states.
Many of the larger technology players have data centres outside the EU – for example in the US. Customers are worried about security breaches in these data centres.
Some organisations take regular trips to check security. The UK government also recently announced it would only use cloud software with data centres in this country.
Salesforce.com, one of the largest cloud vendors in the world, has revealed – in direct response to UK government policy – it will build more centres in the EU, including the UK. Microsoft also announced plans to build centres in EU jurisdictions.
Software companies say there are always security concerns when it comes to technology. Unit 4’s marketing director David Turner believes this is a temporary problem which is likely to be blown out of proportion.
Realistically, SMEs are kidding themselves if they think just because the data is on their own premises it is secure, says Turner.
Aside from financial institutions, many SMEs’ IT security is woeful. Small companies holding their own data are very unlikely to have as high a level of security as cloud vendors. So far data centres, in their ten-year history, have not had a significant security breach.
It’s a common challenge for SMEs to invest in IT and manage it themselves. Their focus is on the core business and few are technology experts, says European research director for Gartner Carsten Casper.
Gartner’s clients have also voiced their concerns that other jurisdictions’ anti-terrorism legislation could put their data at risk of being impounded by foreign governments.
For example the USA Patriot Act [see end of analysis] in theory could allow the US government to close data centres and impound information if it believes there is a risk to national security. Many organisations are wary to allow a government this level of control.
However, Casper believes this is not unique to the US and most governments could use some form of legislation to impound data if they believed it contained national security risks.
Oracle recently revealed details of a private cloud offering in acknowledgement of these concerns. It has created a mini data centre which can be kept on-premise.
The catchily named Exalogic Elastic Cloud will have cost the company $4bn (£2.5bn) in one fiscal year to develop and is set to be available in the first quarter of next year.
Companies can access information over the internet, however, the machine is located in the company’s own head office. “Companies have to find a mix of what is legally acceptable, technically feasible and economically viable,” said Casper.
What is the Patriot Act?
The USA PATRIOT Act increases police and other law enforcement powers to investigate emails, medical, financial and other records, as well as reducing restrictions on foreign intelligence gathering. It also increased the US’ ability to regulate financial transactions, particularly foreign individuals and organisations.
It was signed by George W Bush in 2001 to beef up anti-terrorism laws following the 9/11 attacks. The title is an acronym; Uniting and Strengthening America, by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.
Colin responds to the call for 'Darwinism' in accountancy
If businesses do not take cyber security seriously in their business planning regulators may do it for them, the ICAEW has warned
Just one half of UK practices have implemented a pricing structure around auto enrolment implementation and advice - with many suffering increased costs
Deloitte's north-west Europe foray; BDO, Smith & Williamson investment paths; Shelley Stock Hutter; and Wilkins Kennedy discussed by editor Kevin Reed on our Friday Afternoon Live broadcast