- Information SECURITY
Security versus data leakage risk.
How secure is your data in the cloud?
The issue of security and data protection in the cloud is becoming increasingly complex for companies. One crucial aspect that is often underestimated is the risk of data being leaked by third countries such as the USA – due to their national security laws. Organizations that rely on the services of large cloud providers (hyperscalers) are particularly affected.
Legal bases that you should know:
- Executive Order 12333 (EO 12333): Mandate for US authorities such as the NSA and CIA to gather foreign intelligence. Decisions are made without judicial review.
- FISA Sec. 702 Allows targeted monitoring of “non-US persons” and binds cloud providers to cooperate via “compelled assistance” – often secretly and without notifying customers.
Disclaimer: The legal bases mentioned (EO 12333 & FISA Sec. 702) are anchored in administrative or national security law and are therefore above civil law, on the basis of which most outsourcing contracts with hyperscalers are concluded by Swiss companies.
We do not offer legal advice, but security advice.
What does this mean for your company?
- Schrems II and the reality of data protection requirements: Despite standard contractual clauses (SCCs) and additional security measures, gaps in data control remain.
- Transparency deficits and geopolitical risks: The lack of transparency in surveillance requests and possible sanctions could have unexpected effects on data availability.
The opinion of the European Data Protection Board (EDPB) is that there are currently no legal, organizational or technical measures that can completely eliminate the risk of foreign intelligence gathering by third countries in the cloud.
Conclusion: safety positioning is crucial
Companies in Switzerland and Europe must develop a comprehensive security strategy in order to minimize the risks posed by third-country interference. This includes
- Selection of cloud providers that offer the highest encryption standards and ideally are not subject to “compelled assistance” under EO 12333, FISA obligations or similar obligations under administrative law.
- Use of technologies such as Client-Side Agents (CSA) and Highly Secure Models (HSM) to mitigate the risk.
- Strengthening the internal security system at a logical, technical, physical and personnel level in order to be prepared for possible incidents.
The risk of data leaks in the cloud is not just a data protection problem – it is a security risk with global implications.
Is your cloud data really secure?
With our extensive expertise in process design, we create tailored solutions that align regulatory requirements with best security practices. We rapidly identify the key compliance and security risks affecting your organization and integrate effective mitigation strategies into your contract and risk management frameworks. Our approach emphasizes stakeholder alignment and the optimization of critical interfaces to ensure seamless and secure third-party collaboration.
We are happy to support you with the following services:
- Carrying out a comprehensive risk analysis of outsourcing contracts from the perspective of third-party security risk management
- Security-based Data Transfer Impact Analysis (DTIA) for the assessment of data transfer risks
- Review of additional organizational and technical security measures
- Identification and designation of security risks when outsourcing to cloud providers in third countries
- Creation of a prioritized risk mitigation plan (risk treatment plan)
- Selection of cloud providers that offer the highest encryption standards and ideally are not subject to “compelled assistance” under EO 12333, FISA obligations or similar obligations under administrative law.
Do you have any questions?
We would be happy to accompany you and your company on the path to security!
