The Effects of Data Localization on Cybersecurity - Organizational Effects

31 Pages Posted: 18 Feb 2022 Last revised: 16 Jun 2023

See all articles by Peter Swire

Peter Swire

Georgia Institute of Technology - Scheller College of Business; Georgia Tech School of Cybersecurity and Privacy; Cross-Border Data Forum

DeBrae Kennedy-Mayo

Georgia Institute of Technology - Scheller College of Business

Date Written: June 15, 2023

Abstract

This paper provides the first systematic analysis of the types of risks that data localization creates for cybersecurity management. Rather than protecting cybersecurity, data localization often creates obstacles to integrated management of cybersecurity risks, reduces the effectiveness of purchasing cybersecurity-related services, and systematically disrupts information sharing. This paper is a companion to the paper on “The Effects of Data Localization on Cybersecurity – Organized by Techniques, Tactics, and Procedures.”

Part I introduces key concepts. The importance of data localization has risen rapidly in recent years, including in China, the EU, and India. This paper focuses on the effects of “hard” data localization, where transfer of data is prohibited to other countries. The focus is also on defensive cybersecurity – effects on the ability of organizations such as corporations and government agencies to identify, protect, detect, respond, and recover in the face of cyber-attacks.

Part II addresses the research methodology. In addition to a traditional literature review, we review approximately 200 comments recently submitted to European regulators concerning data transfers. Next, we analyze International Standards Organization (“ISO”) 27002, to systematically examine the effects that localization rules for personal data would have on that widely-used set of cybersecurity management controls.

Part III provides a new categorization of the effects of data localization on cybersecurity. First, our analysis shows that data localization would threaten an organization’s ability to achieve integrated management of cybersecurity risk. By examining each control (and important sub-controls), we show that 13 of the 14 ISO 27002 controls would be negatively affected by localization of personal data. Second, data localization pervasively limits provision of cybersecurity-related services by third parties, a global market of roughly $200 billion annually. Notably, a region requiring localization would cut its organizations off from best-in-class cybersecurity services, thereby making its organizations easier targets for attackers. Third, localization undermines information sharing for cybersecurity purposes. For each of these effects of data localization on cybersecurity, we will briefly examine the primary counter arguments to our position. Part IV is the conclusion.

Keywords: cybersecurity, privacy, data localization, GDPR

JEL Classification: K2, K33, F13, F15

Suggested Citation

Swire, Peter and Kennedy-Mayo, DeBrae, The Effects of Data Localization on Cybersecurity - Organizational Effects (June 15, 2023). Georgia Tech Scheller College of Business Research Paper No. 4030905, Available at SSRN: https://ssrn.com/abstract=4030905 or http://dx.doi.org/10.2139/ssrn.4030905

Peter Swire (Contact Author)

Georgia Institute of Technology - Scheller College of Business ( email )

800 West Peachtree St.
Atlanta, GA 30308
United States
(404) 894-2000 (Phone)

Georgia Tech School of Cybersecurity and Privacy ( email )

Atlanta, GA 30332
United States

Cross-Border Data Forum

DeBrae Kennedy-Mayo

Georgia Institute of Technology - Scheller College of Business ( email )

800 West Peachtree St.
Atlanta, GA 30308
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
1,313
Abstract Views
5,710
Rank
29,080
PlumX Metrics