Back to blog

Private communications, compliance and migration

Nov 26, 2015 by Romulo Melillo

Paris reminds us that compliance is not just about email data
Although speculation that the tragic attacks on Paris in November 2015 were planned using the in-gaming PlayStation4 (PS4) network appears to have been discredited, the story raises important compliance and security questions for organizations. Where does compliance begin and end, what is covered by regulation, and how do you safely move data between different jurisdictions?

The encryption conundrum
The PS4 story originated from a misunderstanding of comments made by Jan Jambon, Belgium’s deputy prime minister and minister of Security and Home Affairs. Jambon is said to have claimed communication over PS4 is “more difficult to monitor than WhatsApp” and that international security services struggle to decrypt it.

Of course, any private communication system – whether using in-game communications, Facebook Messenger, or even encrypted smartphones – generates data that ends up being stored somewhere. It makes sense for that data to be encrypted. For years security specialists have been telling us to make sure we use high-quality encryption for emails and, more recently, for data transmitted to and from mobile devices. But encryption is as much about protecting data at rest as it is about data in transit.

The focus has been on making sure that, if data leaks, it is unusable to the recipient. But right now there are claims that governments like the UK may be threatening this principle. Experts say the UK Home Office’s draft ‘snoopers’ charter’ bill will damage privacy, and may push criminals into using even stronger encryption.

Where in the world is your data?
All this comes at a time when the European Union (EU) is poised to introduce General Data Protection Regulation (GDPR), which will dramatically change the standards organizations need to comply with to protect and migrate data – including outside the EU itself. According to leading law firm Norton Rose Fulbright: “the GDPR’s jurisdiction will reach outside the EU, with extraterritorial jurisdiction tied to the offering of goods or services to, or the monitoring of, data subjects in the EU.”

In other words, if your servers hold data about individuals which is personally identifiable, you not only need to keep it secure at rest (presumably with good, strong encryption that can only be hacked by your government… we’re glad we’re not the ones writing the rules), but secure while it’s in transit.

The idea of being able to migrate personal data freely is actively encouraged by GDPR, which recognizes that the cloud industry should be a more competitive and open market. Article 18(2) makes it easier for users to change their service providers when they are no longer satisfied with another provider’s services. Think of a social network: you might be dissatisfied with your current provider, but by canceling your account, you would lose all the content you submitted. EU competition commissioner Joaquín Almunia is on record as saying: “Customers should not be locked into a particular company just because they once trusted them with their content.”

How does this affect my business?
There’s no excuse for not encrypting your business’s communications, whatever form they take – email, private messaging, social media, mobile. Regulations like GDPR insist on appropriate protections for any data identifying private individuals (you probably hold quite a lot of that).

You’re probably aware of the end of Safe Harbor principles between the EU and US, and the fact that companies like Microsoft have signed up to the EU’s ‘model clauses’ on data protection. With a reputable cloud service therefore there shouldn’t be anything to worry about regarding normal business operations.

But what happens when you actually migrate data? It’s your data. You are responsible for it (not your service provider – GDPR is quite clear on that). You need to be able to package, encrypt, transfer and ingest into the new environment without compromising security or Chain of Custody. You need to make sure that when shipping data from one side of the world to the other you use the right route to avoid falling foul of jurisdictions that don’t meet GDPR’s standards. It can be a compliance officer’s nightmare.

Sound familiar? That’s exactly what’s required in every email or archive migration. It’s what Quadrotech helps manage every day. But such compliance standards quite clearly extend beyond email to any data you hold.

Converged communications and migration
Whether or not the Paris attacks were planned using the PS4 network, the fact is that using private communications systems in this way is technically possible. Such data may up sitting on your servers and requested for inspection by the authorities. In a cruel irony, it’s alleged that the 9/11 attacks were planned using draft emails on a webmail server, not logged as the emails were never sent.

Modern communications systems are converging. It’s not unusual for organizations to rip out old telephony and introduce unified telephone, instant messaging (e.g. Skype for Business) and other feature-rich environments. That’s only going to generate ever bigger bundles of encrypted information that, one day (even if because your old servers are being decommissioned) is going to have to be migrated.

We’ve always described Quadrotech as ‘the migration company’. We’re known for safe, secure, fast, and reliable email migration, but the same principles apply just as much to transferring any other type of data. If you need help understanding the practicalities of migration compliance developments in this new world, it’s worth viewing our Office 365 email migration tool.