Hosted Data Seizure Risk Greater Than On-Premises

A recent lawsuit shows that Microsoft frequently receives orders to disclose customer data to the U.S. government without notifying the affected customer. The suit seeks to overturn the government’s ability to demand secrecy for such orders, and it reveals that Microsoft receives such orders on a daily basis. Despite Microsoft’s efforts to secure its data centers and comply with privacy and governance standards, customers using hosted services are exposed to risk of data seizure without notice—a risk that is much smaller when data remains on-premises. If successful, Microsoft’s suit could mitigate or equalize the host services risk.

Seizure Without Notice

Microsoft brought the suit against the U.S. Department of Justice to overturn a provision of the Electronic Communications Privacy Act (ECPA). The provision allows U.S. courts to order Microsoft to keep secret government requests for customer’s data.

When a customer’s data is on-premises, either as paper records in file cabinets or digital records on computers or servers, the data remains within the customer’s physical control. In such cases where the government has a court order allowing it to seize the data, the serving of the order effectively gives the customer notice of the seizure and its scope.