In a new paper published in the Arizona Law Journal of Emerging Technologies, CBDF Research Director Peter Swire and CBDF Senior Fellow DeBrae Kennedy-Mayo provide the first systematic analysis of the types of risks that data localization creates for cybersecurity management. Rather than protecting cybersecurity, “hard” data localization (wherein the transfer of data is prohibited to other countries) often creates obstacles to integrated management of cybersecurity risks, reduces the effectiveness of purchasing cybersecurity-related services, and systematically disrupts information sharing.
Focusing on defensive cybersecurity such as the effects on the ability of organizations such as corporations and government agencies to identify, protect, detect, respond, and recover in the face of cyber-attacks, Swire and Kennedy-Mayo propose a new framework for approaching data localization based on the organizational form, focusing on its impacts within an organization, across organizations with payment, and across organizations without payment.
According to the research by Swire and Kennedy-Mayo, data localization may create barriers to any integrated management efforts for cybersecurity risk, potentially negatively affecting 13 of the 14 ISO 27002 controls. For organizations who opt to pay for third-party cybersecurity services, data localization can reduce the effectiveness and comprehensiveness of purchased cybersecurity products. Localization can also prevent the implementation of state-of-the-art cybersecurity measures, thus potentially incentivizing bad actors to target organizations in localized regions where access to effective cybersecurity services remains limited. Lastly, for those organizations who do not pay third parties for such services, the category of “information sharing” can be significantly impacted by restrictions on data transfer.
To read the full paper, click here.
* * *
These statements are attributable only to the authors, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.
