Cyber security does not stop at national borders

2018 cooperative study on IT and data security proves that many companies are still unaware of the different legal regulations on IT security

Hamburg, January 22, 2019 – 62 percent of the IT and security experts trust that the strict requirements of the German Data Protection Ordinance (DSGVO) regarding IT security will also be met by American companies. This is the result of the cooperation study “IT and Data Security 2018” commissioned by the National Initiative for Information and Internet Security. (NIFIS) and the Sync&Share provider TeamDrive Systems GmbH. With the cooperation study, the association and companies would like to draw more attention to the topic of IT security and bundle different perspectives on the topic. “After this result, we have to assume that the majority of management is not aware that the Cloud Act allows US authorities to access data stored abroad. This not only completely contradicts the efforts of the DSGVO, but also represents a huge security gap for European data,” warns Dr. Thomas Lapp, Chairman of NIFIS.

Beware of negligence

In fact, the transfer of data within the EU is regulated by the Telemedia Act and the GDPR. It is stipulated within these legal regulations that personal data may only be passed on with the express confirmation of the person concerned. The American Cloud Act, on the other hand, stipulates that US authorities can also access data stored abroad if the servers are under US control. “This explains why it is simply not possible to expect GDPR-compliant security from American companies as well. US companies will have to contradict a legal requirement,” warns Lapp. According to the cooperation study “IT and Data Security 2018”, 35 percent of respondents are actually prepared to avoid US-controlled services if possible for this reason as well. Three percent, however, continue to entrust US providers in Europe with their company’s personal and confidential data without restriction.

Cloud and security like to join forces

Compliance with the regulations of the GDPR and simultaneous use of cloud services is possible despite legal inequalities. Detlef Schmuck, Managing Director of TeamDrive Systems GmbH, is convinced of this. “Users should only make sure that the selected cloud provider is GDPR-compliant and that the data remains in Europe. At the same time, the security of data and information must already be defined in the provider’s architecture. Security without end-to-end encryption, works only with absolute trust in the service provider and its employees. Secure data protection can only be guaranteed by end-to-end encryption, where the user controls the keys.  Legislation cannot change this,” says Schmuck.