In March of this year, the US Congress passed the so-called Cloud Act. This allows US authorities worldwide access to data from US companies – even if their servers are located in the EU. For this reason, the IT Security of companies who store data with US providers is at stake.

The so-called “Cloud Act” (Clarifying Lawful Overseas Use of Data Act) commits US companies to provide data to US authorities on request, irrespective of location. US legislation thus places American law in an EU member state above EU law. Therefore, US companies are in a dilemma in future: if they deny access, they break American law and vice versa European.

Microsoft fought and lost

One of the reasons for the decision was Microsoft. The matter goes back to 2013. At that time, the US Department of Justice investigated drug crime and asked Microsoft for access to a suspect’s e-mail account. However, as the server with the data was in Ireland, Microsoft invalidated the search warrant. It came to a process that Microsoft lost in the first instance and won second place. Due to the new Cloud Act, this case has now been declared done. The question of how an acceptable solution between the US and the EU or the individual member states can look like is currently being discussed.

Sensitive Data are no longer safe at US companies

But what does that mean for companies, that uses services by US companies? First and foremost, they must be aware that true compliance with the EU GDPR can fail. Taking the next step, the Cloud Act also allows US authorities to arbitrarily gain access to all data of a company stored at a US partner or services provider – including business and enterprise secrets or information about IT Security measures.

Security-relevant Data should not leave the company

Companies, that sources IT security services such as Vulnerability Management from US providers and store sensitive data with them, should now take action. For a maximum of security, they should at least switch to a European partner, who only stores data in data centers within the EU. Finally, this raises the fundamental question of whether safety-related data should or have to leave the company at all. After all, there are certainly IT security service providers in the market whose solutions work exclusively within the company IT and do not transfer data either to the cloud or to the provider.

An example of this is our Greenbone Security Manager. It scans IT networks for vulnerabilities and forwards data and reports only within the secure enterprise network.

Cloud Act calls for action

Once again, the Cloud Act shows that the US attaches far less importance to privacy than the EU: while the Europeans consider data security as human rights, in the United States it is “only” a civil right – which therefore only refers to Americans. In the American legislation, the interest of European citizens will therefore continue to receive little or no consideration in future. Companies have to adjust that. They should use the Cloud Act as an opportunity to bring sensitive data outside the reach of American authorities. This can happen for example by switching to European or German service provider. However, the best option for IT security is to choose solutions in which sensitive data does not even leave the company.