Insurers adopting cloud computing face a data sovereignty minefield
Last year was a turning point for data protection in Asia. Several countries adopted new rules governing data and privacy while two massive breaches served as cautionary tales for international companies that collect and hold data. In South Korea, the names, social security numbers and credit card details of 20 million South Koreans - almost half the population - were stolen by a computer contractor working for a credit scoring firm.
Meanwhile, in Japan, education services company Benesse was forced to issue a public apology and is facing a lawsuit after a rogue employee leaked the confidential information of at least 7.6 million people (possibly as many as 20 million). “There have been high-profile breaches in the region and as a result there’s an increased scrutiny of data protection laws,” confirms Jeremy Tan, a senior associate at Norton Rose Fulbright.
In Singapore and Malaysia new “European-style” privacy laws came into force last year, while in China, consumer protection laws were amended to include data privacy principles. In South Korea, steeper financial penalties were introduced for failing to protect sensitive information. “Data sovereignty is a hot topic in Asia because there’s been a whole slew of data privacy laws that have come into force in just the past three or four years,” says Tan.
“With more data protection laws the issue of data sovereignty arises,” he continues. “Unlike in the EU, the laws in this region are not harmonised so they have differing standards and differing expectations. That makes it a bit tricky for insurers when they want to adopt cloud, because that cloud inevitably involves the transferring of data from one jurisdiction to another.”
“Data privacy at least in Asia has a very consumer protection agenda,” he continues. “With insurers collecting more and more personal data there will be greater scrutiny on the users of cloud computing and collectors of personal data on the whole.”
From an insurance company perspective, there are real risks in transferring data into a jurisdiction that has strict data privacy legislation. Taking the US as an extreme example, retail giant Target, which had up to 40 million debit and credit card numbers stolen last year, has so far reported data breach costs of up to $248m.
A survey last year from ResearchNow, commissioned by Peer 1 Hosting, showed that 25% of UK and Canadian businesses plan to pull company data out of the US. This is partly a result of the NSA snooping revelations, revealed by Edward Snowden in 2013, with concerns raised around security, compliance and privacy in the cloud, particularly for businesses in highly-regulated industries.
One possible means of navigating the data sovereignty challenge is a hybrid cloud solution. Insurers that want the ability to tap into the scalability and cost efficiencies of a software as a service (SaaS) model can develop dedicated resources alongside this in which to place secure customer data.
“Only a couple of weeks ago we were working with a European client looking to move part of their application suite to the cloud,” says Cole. “They were nervous about the US jurisdiction laws and what it meant for their data. We came up with a compromise solution that keeps all their confidential private data internal to their organisation and encrypted, while they’re also getting the benefits of the cloud solutions out there.”
“Many of the obstacles out there can be overcome,” he continues. “This client was using a mainstream SaaS solution but was quite worried about privacy and data residency. So the compromise was to ring fence key elements of the data using another software package. It’s pretty industry standard now and UK insurers are using the model as well to make sure they protect their client’s data.”
As the new data privacy laws in Asia bed down, critics argue regional businesses could be disincentivised by the regime. The ability to develop and exploit innovative electronic and mobile commerce platforms, engage new technology service providers and reap the benefits of consolidated processing centres in high-tech hubs could be curtailed by the national data walls cropping up.
“In Singapore the insurance regulator has issued a consultation paper on proposed changes to outsourcing guidelines,” says Tan. “They have made it clear that they are looking at things like data segregation and data security. These are things that make the cloud less palatable as an option, because one of the benefits of having a cloud is to have all your data aggregated.”
“It’s really about getting an understanding of the lay of the land and having good relationships with the regulators - getting feedback and their view on how they would react to certain cloud offerings,” he continues. “Private cloud solutions are definitely looked upon more favourably simply because it has the perception that it’s more secure.”
“There is a view in the market that it’s about the regulators and adopters of cloud technology coming to a sensible middle ground, where the regulators are confident their prerogatives are met and at the same time the insurers are able to reap the benefits of cloud,” he concludes.
This piece first appeared in a GR special report on insurance and cloud computing, in association with Equinix.