That is, is there some document that, if I have on my laptop in my home, it is fine, but if I back it up online, on some company’s server in another state, I may be violating some law?
Simple example would be pornography, but that’s not what I had in mind. Any other classes of documents which would have this issue?
Maybe a document from a company with which I signed an NDA agreement?
If I back up the document to an online server, can the company sue me for “disseminating” information about their company?
Any other cases?
ETA: Assume the data you are backing up is encrypted using the strongest encryption available.
Absolutely. If the data is in anyway confidential or contains personal data (of other persons) you may fall foul of any number of laws. Data Protection Act, Official Secrets Act, assorted data export regulations, etc.
These online backup companies don’t really care what files you want to backup. They just provide offsite storage capabilities. I don’t see how what you stored would matter to them.
If you are storing something illegal, such as child porn, and the authorities asked the backup company to provide it to them as part of a prosecution, I’m sure they would hand it over.
I’m not saying the online backup companies would care. I’m saying a company I signed an NDA with might care that I backed up some of their information to an online service (even if I encrypt it)
If you’re wondering whether backing up the data would violate an NDA, the first place you should look is the precise language of the NDA itself. For most NDA’s that I’ve seen, backing up the data would probably not be considered a violation, assuming you took reasonable steps to make sure other people could not access the data (such as encrypting it).
One wrinkle I can think of: Some NDA’s require you to destroy/delete the confidential information you’ve received at some point, or under some circumstances. If you’re subject to that requirement, it would presumably apply to any backups you have made.
Again, however you’d have to start by looking at the specific wording of your NDA.
The issues posed by online backup are virtually identical to the issues posed by storing the information on your own computer. You would have to look at each specific issue and determine how the backup affects it. There is no general principle that’s going to give you a default answer.
For example, if you deal with medical information in the US, you are bound by HIPAA rules. These rules specify all kinds of parameters. If you look at online backup companies, many of them make a point of emphasizing that they are HIPAA compliant solutions.
Credit card information also has very specific handling rules, including a requirement that you to change the password every 90 days.
If you’re talking about child pornography, you need to see the applicable laws in your jurisdiction and (possibly) the laws in the jurisdiction that govern the data center.
If you’re talking about an NDA, you have to see the specific provisions. I’ve had NDAs that explicitly prevented any copies from being made and another that required any copies to be stored on computers/networks you control, but most simply require that you destroy any copies along with the originals at the termination of the agreement. (That might be an issue; since most online backups are incremental and keep archival copies, do you know if you can delete a specific set of files?) Most require only a vague “reasonable level of care” in data protection, but many stipulate certain provisions that constitute a definition of reasonable.
Not necessarily true. Or rather, some of their less scrupulous employees might be very interested. Online backups can be a good source of personal data like credit card info, bank details, etc. Even if the backup company is entirely scrupulous, how do you know that there isn’t some security weakness a malefactor can exploit? You really don’t want to receive an email saying, “We’re sorry but we got hacked” do you?
And encrypted backups are meaningless if they manage to get your encryption key.
The PATRIOT act allows U.S. authorities to grab any data physically located in the U.S., regardless of the ownership of said data.
This is incompatible with Canadian privacy laws, and as a result some companies have had to move data out of U.S. processing centres. (I was thinking specifically of RIM, but couldn’t find anything with Google. (this provincial law was the closest I could find).
I don’t know about any state-to-state laws specifically.
This is true but the real reason is not the credit card itself but the password. People are idiots when it comes to passwords and they use the same thing for every site.
So if I backed up my data someone at the center could merely go to Citibank, then BoA, then Chase, then Wells Fargo, and keep putting Markxxx and my password in each site, till the get a hit.