Home » Data Protection » PCI and Compliance

Opinion

Home Is Where the Hard Drive Is

Designing an infrastructure to be compatible with many legal environments can ward off privacy headaches.

By David H. Holtzman

January 09, 2003 — CSO — The differences between e-commerce and traditional commerce are glaring when you squint at them through a regulatory spyglass. While industrial age governmental policy freezes like a 10-point buck in headlights, the legal prey of tomorrow is only a distant blur. Designing an enterprise requires long-term vision, but strategic planning is next to impossible when the networks you build today will outlast the laws that govern their behavior.

Let's say you've just been hired in a senior information security position at a U.S.-based company that sells collectible widgets online. You have been asked to sit down with the general counsel (GC) and CFO to map out a long-range enterprise architecture that will support the company's growth. The CFO insists that the company converge on a centralized infrastructure to reduce costs in the business units. The GC innocently asks about conforming to legal and privacy rules. "Which ones?" you ask.

In traditional commerce, governance rules are negotiated and captured in treaties. The exceptions to that are products with cultural significance that override the economicsthe sex and drugs type commodities.

In e-commerce, all transactions fall into this category because the marketplace incorporates hot issues like privacy, intellectual property and taxation, regardless of the product.

Not only are the rules subject to change, it's also unclear whose rules are applicable. The jurisdiction of a single e-commerce transaction could equally be where:

The company is incorporated
Servers are located
The company does business
The customer lives
The fiber-optic cable runs
A remote employee accesses the customer database

The first wave of e-commerce was defined by the workarounds. Institutions and authorities kept policy afloat like a beach ball at a rock concertuntil the bubble popped. That resulted in stopgap policies such as the Internet sales tax moratorium and the Safe Harbor privacy provisions for doing business in the European Union.

The second wave of e-commerce will be defined by the exceptions. These irregularities will be created by the mismatches of overlapping sovereignty. For some businesses, this will be disastrous; for others an opportunity.

Economic need will twist the legal areas of commerce further out of alignment with the physical location of the systems and servers. That incongruence causes the problem. How do you design an enterprise architecture for legal compliance when you don't know whose laws may be relevant and which laws likeliest to cause trouble are in flux? Here are some suggestions:

Pay careful attention to where the data comes out, not in; most countries will probably attach conditions and penalties to data use, not aggregation. Tag accounts with their geographic location so that they can be policy controlled. For instance, if you have an auction site, don't let French or German customers see, let alone buy, Nazi memorabilia.
Transfer your servers to the most subpoena-favorable legal climate available internationally, most likely in the Caribbean. This is similar to companies incorporating in Delaware for tax reasons. Indian reservations may become prime locations for server farms.
Don't ask, don't tell. If your customers are not buying goods that require shipping, don't ask for more information than you need. The more you ask for, the likelier that you'll violate an ordinance. If you have too much information, you lose plausible deniability as a defense.