In the paper entitled The Effects of Data Localization on Cybersecurity, CBDF Research Director Peter Swire and CBDF Senior Fellow DeBrae Kennedy-Mayo provide the first systematic examination of the effects of data localization laws on cybersecurity. The authors focus on the effects of “hard” data localization, where transfer of data is prohibited to other countries. The discussion includes both de jure and de facto effects, including China’s explicit laws, recent enforcement actions in the European Union, and proposed privacy legislation in India.
The authors propose a way to organize the effects of data localization rules on cybersecurity. First, data localization creates obstacles to integrated management of cybersecurity risk within a single organization, such as a corporation or government agency. Second, data localization creates obstacles for an organization in using cybersecurity-related services from outside of the organization. Third, apart from cybersecurity services, data localization creates obstacles to information sharing between organizations, and information sharing is an important tool for reducing cybersecurity risk.
The authors provide details related to each of these topics:
– Their analysis shows that data localization would threaten an organization’s ability to achieve integrated management of cybersecurity risk. 13 of the 14 ISO 27002 controls, as well as multiple sub-controls, would be negatively affected by data localization. As a specific finding, required localization in two or more nations clearly restricts the ability to conduct integrated cybersecurity management.
– The analysis explains how data localization pervasively limits provision of cybersecurity-related services by third parties, a global market of roughly $200 billion currently. Notably, data localization laws supported in the name of cybersecurity often undermine cybersecurity – purchasers in the locality are deprived of best-in-breed cybersecurity services, thereby making them systematically easier targets for attackers.
– Data localization threatens non-fee cooperation on cybersecurity defense. Notably, localization undermines information sharing for cybersecurity purposes, which policy leaders have emphasized as vital to effective cybersecurity.
The authors conclude by noting that until and unless proponents of localization address these concerns, scholars, policymakers, and practitioners have strong reason to consider significant cybersecurity harms in any overall analysis of whether to require localization.
To read the full paper, click here.
To view the Center for Strategic and International Studies event entitled “Cybersecurity Considerations for Data Localization Regulation” where Swire and Kennedy-Mayo discuss the paper, click here.
These statements are attributable only to the authors, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.