BUILDING DATA CENTERS: UNDERSTANDING THE RISKS. Managing Risk Maximising Opportunity.

Transcription

1 BUILDING DATA CENTERS: UNDERSTANDING THE RISKS Managing Risk Maximising Opportunity

2 Building Data Centers: UNDERSTANDING THE RISKS The world is inundated in new information. Ninety percent of all data ever created has been generated in the past two years, and the amount of data worldwide is expected to increase 40-fold in the next decade, according to a recent IDC/EMC Digital Universe study. With this amount of growth, it s not surprising that the number of data centers around the world is also increasing exponentially. For more and more companies both in the United States and abroad data centers have become critical to successful business operations, both domestically and internationally. Once exclusive to the technology world, data centers started popping up more and more during the dotcom boom. Today, every mid- and large-size company must have at least one well-established and efficiently functioning data center to house its massive quantities of data. Some companies choose to build and house their own data center, others share data center space and functionality with other companies in a co-located facility, and those with more limited needs may make due with cloud services. Setting up a data center requires careful consideration. Depending on the size of the data center and the jurisdiction in which a company decides to build it, various complex considerations, from technical performance to risk tolerance, are at play. With each of those considerations comes risk. Regulatory issues, such as data privacy concerns, as well as intellectual property and e-discovery issues, are all factors that companies must consider as they start assessing their options. Corporate legal departments must be involved in these projects from day one. This report discusses best practices for companies building data centers both in the US and abroad, the risks associated with the process, and the legal department s role. Six Steps for Setting Up an Efficient Data Center or Co-location When a company realizes that it has amassed so much data that it needs a dedicated data center, there are several steps it can take to ensure a smooth and efficient set-up process. From the initial decision to set up the data center until the first file upload and beyond, the corporate legal department is a critical player. Step 1: Evaluate the need. The decision to build a data center typically arises out of growing demand for technological resources. Determining a company s technology needs and how those needs will change in the coming years will inform many of the logistical decisions that go into creating a data center. Understanding security and backup needs will also inform this process. Legal department s role: In-house lawyers must look at the data retention requirements and decide how much data the company needs to retain and for how long. This information is essential for the IT team to understand what requirements its data center facility must be able to fulfill. Step 2: Align the data center requirements with the corporate risk threshold. No matter where the data center is built, its location poses some level of legal risk. Different jurisdictions have different data privacy regulations, litigation hold requirements, and e-discovery concerns. Companies that understand these risks can select a location that is consistent with their risk tolerance. Legal department s role: Lawyers must first assess specific jurisdictional risks. Then they must work with the IT team and corporate management to determine how those risks fit into the data center business plan. Step 3: Obtain stakeholder buy-in. Data center deployments usually involve many departments, including facilities, security, IT, sales, marketing, risk management, finance, and legal. Involving all stakeholders early in the planning process will help ensure the success of the data center deployment. 1

3 Legal department s role: Like all other departments, the legal department s role at this stage is to participate in planning meetings and provide input, helping to clear the path to move forward. Step 4: Choose a site. Site selection should take into account all the stakeholder requirements and risk considerations identified in steps 2 and 3. For companies that opt for a co-located data center, these factors also inform the selection of a hosting service provider. Legal department s role: In choosing a site and hosting provider, the legal department should flag any regulatory issues or contractual terms that could present problems. Step 5: Plan for systems deployment. Building out a data center requires attention to a host of technical details that will ensure adequate performance. But some of these choices have non-technical ramifications, such as incorporating renewable energy, hiring local vendors and integrating disaster protection into the design. Legal department s role: In this step, the company must be aware particularly with data centers abroad of the risk that facilitation payments will be demanded during the building process. These can sometimes be considered bribes and may violate various anti-bribery laws. The legal department may also assist in finding tax credits for the company during the building of a data center. Step 6: Deploy systems. Ensure sufficient time to properly equip and set up the data center. Often, companies rush this critical part of the deployment. The consequences of actions taken in the deployment phase will persist for years, sometimes causing problems that will be difficult to diagnose. That is, equipment must be installed properly and take long-term considerations into account at this stage so that the data center can continue to function well for a long time to come. Legal department s role: With the deployment plan set, in this step, the legal department primarily serves as counselor if and when potential legal issues arise. Data Center Risks and Challenges United States With each step in building a data center either from the ground up or a co-location there are challenges and risks. In the US, the biggest challenge is choosing the right location. Because data centers are getting bigger and more complex, space is a concern. A common mistake many companies make is planning to build a data center on their own sites. While this can work for organizations with a lot of land in remote locations, it is impossible for those in big, dense cities. Most office buildings and high rises simply don t have the infrastructure or the space needed to support a data center. Some US companies especially those that manage large volumes of data have established data centers, or even moved parts of their operations, to more remote locations where land is less expensive and they have the space to build large campuses and sophisticated facilities. In addition to space concerns, companies need to factor in access to inexpensive electricity, or electricity generation capacity, when choosing a data center site. Budget is another major concern for most companies building a data center or co-locating. Step 2 is critical to avoid going over budget: aligning the data center requirements with the corporate risk threshold prevents the scope of the project from getting too big. Once a site is chosen, communication among the various stakeholders the leaders of the corporate departments involved is crucial to the success of the building process, particularly between IT and the legal department. While IT is working to get the data center up and running, the legal department must stay informed of what decisions are being made and implemented to avoid inadvertently violating any laws or regulations. In the US, regulatory concerns vary greatly from state to state, but the most common regulatory issue that arises is data privacy particularly with regard to litigation hold notices, data retention policies, IT infrastructure and human resources databases. For the legal department, this means safeguarding the company against any wrongdoing by staying well educated about any regulations within the given state and industry. Legal must continually audit, revisit, revise, update and oversee the implementation of its data privacy policy. In this respect, the legal department s job never ends. International Not surprisingly, regulatory issues are also a concern when building a data center abroad. In fact, they are by far the biggest challenge for companies with data privacy issues, again, at the top of the list. 2

4 Regulations differ dramatically from country to country. Particularly challenging are the strict and sometimes ambiguous data protection and movement laws in China. Europe is also challenging, particularly France and Germany, where data privacy laws are especially sensitive. In international locations, companies must assess the risk and interpret the various regulations and their requirements, then make decisions on how to proceed based on their own risk tolerance. Other local laws and cultural considerations can affect the project. In India, for example, the country s laws do not allow companies to use foreign legal counsel. So a company must first find, vet, and hire a local firm often one that doesn t know its client s business very well to help cut through the legal red tape. In Brazil, data center building projects are sometimes stalled because of corruption. Officials have been known to charge companies certain taxes often just bribes in disguise to move forward with the project, raising the risk that a company may violate the Foreign Corrupt Practices Act (FCPA). In Japan, the business culture dictates that it is impolite to say no to colleagues and clients so companies may find that a step they believe had been agreed to has not been taken. Conclusion While it may not seem obvious at first glance, the legal department is an integral player in the process of finding a data center solution. It must ensure that the departments involved are communicating and keep the company on the straight and narrow with regard to laws and regulations, both in the US and abroad. During each step of the project, the legal department has a specific role to play from reviewing contracts and understanding jurisdictional laws and regulations to assessing the company s risk appetite and ensuring its client doesn t run afoul of anti-bribery laws, such as the FCPA and UK Bribery Act. Data centers can certainly be built efficiently and effectively, with minimal risk and within budget. Success requires a solid set of best practices, as well as the expertise and continual support of the corporate legal department. Published by Control Risks Group Limited ( the Company ), Cottons Centre, Cottons Lane, London SE1 2QG. The Company endeavours to ensure the accuracy of all information supplied. Advice and opinions given represent the best judgement of the Company, but subject to Section 2 (1) Unfair Contract Terms Act 1977, the Company shall in no case be liable for any claims, or special, incidental or consequential damages, whether caused by the Company s negligence (or that of any member of its staff) or in any other way. Copyright: Control Risks Group Limited All rights reserved. Reproduction in whole or in part prohibited without the prior consent of the Company. 3

5 Control Risks offices