Your Encryption Isn't Protecting You. Microsoft Just Proved It.

In early 2026, the FBI served Microsoft with a search warrant requesting the BitLocker encryption keys for three laptops seized in a fraud investigation in Guam.

Microsoft handed them over without apparent legal challenge.

No hack. No breach. No password cracking. No sophisticated attack. Just a valid US warrant, and Microsoft's compliance. The FBI gained full access to data that the device owners believed was encrypted and protected. Johns Hopkins cryptographer Matthew Green put it plainly: "It's 2026 and these concerns have been known for years."

Microsoft confirmed the practice to Forbes. The company receives approximately 20 such requests per year.

Now ask yourself one question: are your BitLocker recovery keys sitting in Microsoft's cloud right now?

If you do not know the answer, you have a problem. And the BitLocker issue is only the most visible corner of a much larger legal exposure that applies to every UK business using US-headquartered cloud services.

This is not theory. This is not politics. This is a structured audit you can complete in an afternoon.

What Just Happened and Why It Matters to You

BitLocker is Microsoft's built-in full-disk encryption tool. It is enabled by default on most modern Windows 10 and Windows 11 devices. When a device is encrypted with BitLocker and the user has signed into a Microsoft Account or joined Microsoft Entra ID (formerly Azure Active Directory), the recovery keys are automatically backed up to Microsoft's cloud as a default behaviour.

That default setting exists so you can recover access if you forget your password or your device fails. Sensible, convenient, and widely used.

It also means Microsoft has a copy of the keys that unlock your drives.

In the Guam case, the FBI waited six months after seizing the laptops before obtaining the warrant. Why? Because BitLocker's encryption successfully resisted all FBI forensic tools. They could not crack it. So they went to the source, served Microsoft, and got the keys.

A Microsoft spokesperson confirmed the company's position: "While key recovery offers convenience, it also carries a risk of unwanted access. Microsoft believes customers are in the best position to decide how to manage their keys."

Customers are in the best position to decide. But Microsoft ships with cloud escrow switched on by default, and most small businesses have never reviewed that setting once.

Here is the wider context. The legal mechanism that enabled this, beyond the specific facts of the Guam case, is the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act), enacted March 2018. It requires US-incorporated companies to produce data in their possession, custody, or control in response to a valid US court order, regardless of where that data is physically stored.

Your data does not need to be on a US server. Your provider just needs to be a US company.

Microsoft is a US company. Google is a US company. Salesforce, HubSpot, AWS, Zendesk, and approximately 80% of the SaaS products your business runs on are US companies. The CLOUD Act reaches all of them.

The Five-Step CLOUD Act Exposure Audit

This audit is designed for a business owner or an IT manager who is not a legal expert. It does not require outside consultants. It takes an afternoon. At the end of it, you will know exactly what your exposure is, which is the difference between governance and guesswork.

Step 1: Check Your BitLocker Key Escrow Settings Right Now

This is the most immediate and specific action from the Guam case, and it takes five minutes.

On each Windows device joined to Microsoft Entra ID or a Microsoft Account:

Open a browser and go to account.microsoft.com/devices. Sign in with the Microsoft Account associated with the device. Select the device and look for "Manage recovery keys." If keys are listed there, they are in Microsoft's cloud.

For business devices managed through Entra ID, your IT administrator can check the Azure portal: go to Azure Active Directory > Devices > [Device Name] > BitLocker keys. If keys are listed, Microsoft holds them.

What to do with what you find:

If your devices are joined to Entra ID and your organisation handles particularly sensitive client data, confidential commercially sensitive material, or data under professional privilege (legal, financial, healthcare), you should discuss with your IT provider whether to move to hardware-managed keys using a physical TPM without cloud escrow, or implement a policy that prevents automatic key backup to Microsoft's cloud.

This is not a recommendation to remove BitLocker. BitLocker protects you against physical theft and device loss, which are far more common threats than a US federal warrant. The question is whether Microsoft also holding your keys creates an exposure your clients, contracts, or governance framework cannot accommodate.

Document what you find either way. That documentation is your governance record.

Step 2: Map Every US-Headquartered Vendor in Your Data Processing Chain

Get a piece of paper or open a spreadsheet. List every software platform, cloud service, and SaaS tool that touches client data, staff personal data, or commercially sensitive business data. For each one, answer three questions:

1. Where is the company incorporated? (Not where the servers are. Where the company is legally registered.)

2. Does this vendor have access to our data, or do they merely process it under our instructions?

3. Do we, or does the vendor, control the encryption keys?

You are looking for US-incorporated companies in column one. That is your CLOUD Act exposure list.

Common ones you almost certainly have: Microsoft (365, Teams, SharePoint, OneDrive), Google (Workspace, Analytics), Salesforce or HubSpot (CRM), Zoom or Webex, Slack, AWS-hosted services, Dropbox, DocuSign, and any US-based payroll or HR platform.

This exercise typically produces a list of between 8 and 20 US-headquartered vendors for a 20 to 50-person UK business. That number is not a crisis. It is information. You cannot manage a risk you have not measured.

Step 3: Review Your Client Contracts

Pull out the last three significant client contracts you signed. Look specifically for any language that promises:

• Data will remain in the UK or within the EEA

• Data will be processed in accordance with UK GDPR only

• No unauthorised third-party access to client data

• Data sovereignty or data residency guarantees

Now compare those promises against your Step 2 list.

If you have promised UK data residency but your data sits on a US-controlled platform, there is a gap between your contractual obligation and your technical reality. The CLOUD Act does not care about your contractual terms. A US court order overrides them.

This is not a reason to panic. It is a reason to either update your contracts to accurately reflect the reality (qualifying the data residency promise to note that cloud service providers are subject to their home jurisdiction law), or to take steps to change the technical reality, or both.

The worst outcome is a client or regulator discovering the gap you never noticed.

Step 4: Check Your Data Protection Impact Assessments

UK GDPR requires you to conduct a Data Protection Impact Assessment for any processing that is likely to result in a high risk to individuals. International transfers are explicitly included.

The ICO updated its international transfers guidance on 15 January 2026, introducing a clear three-step test for organisations to determine whether they are making restricted transfers, and requires Transfer Risk Assessments for those that are.

Pull out your most recent DPIAs. Check whether they address the following question: does any US-headquartered company in our processing chain create potential exposure under the US CLOUD Act?

If your DPIAs were written before 2024, or were written by an IT provider rather than a data protection professional, they almost certainly do not address this. That is the gap.

You do not need to resolve the legal conflict in your DPIA. The ICO does not currently require you to have refused all US cloud services. What it does require is that you have assessed the risk and recorded your reasoning. "We use Microsoft 365, we are aware of the CLOUD Act exposure, we have assessed it as follows, and we have taken the following steps to manage it" is a defensible position. "We never considered it" is not.

Step 5: Ask Your IT Provider One Question

"Which of our systems are operated by US-headquartered companies, and do we control the encryption keys for any data that sits on those systems?"

A competent IT provider should be able to answer this in writing within 48 hours. They should be able to tell you: which vendors are US-incorporated, whether client data transits US-controlled infrastructure, what the key management posture is for your primary cloud platforms, and whether your current setup would allow any third party to access your encrypted data with legal process directed at the vendor.

If your IT provider cannot answer this question, or looks at you blankly when you ask it, that tells you something important about whether they are providing you with genuinely managed security or just keeping the lights on.

This is not an unfair or unreasonable question to ask. It is a basic vendor risk question that every managed service provider handling sensitive business data should be able to answer.

What "Good Enough" Looks Like for a 20-Person Firm

I want to be direct about something, because the risk of this kind of article is that it makes people feel paralysed rather than empowered.

You are not the FBI's target. Microsoft receives approximately 20 CLOUD Act requests for BitLocker keys per year across its entire global customer base. The probability that a US federal warrant is coming for your laptop is, in practical terms, negligible.

The real risks are different, and they are proportionate to the size of your business.

The first is contractual risk. If you have made promises about data sovereignty that you cannot technically keep, that is a liability that could be triggered by a client audit, a contract dispute, or a procurement requirement, not a federal warrant.

The second is regulatory risk. The ICO's Transfer Risk Assessment requirements are real, increasingly enforced, and explicitly require organisations to consider government access risk in destination countries. "We never thought about it" will not serve you well when that conversation happens.

The third is reputational risk. As European procurement increasingly requires demonstrable data sovereignty posture, being able to articulate your position clearly becomes a competitive factor. "We have assessed our CLOUD Act exposure and taken specific steps to manage it" is a statement very few of your competitors can currently make.

Good enough for most 20-person firms looks like this: complete the five-step audit above, document what you found, update your DPIAs to reflect the CLOUD Act exposure, add a qualifying clause to your data residency language in future client contracts, and decide on a conscious, documented position regarding your BitLocker key escrow settings.

That is not a rip-and-replace exercise. It is a governance exercise. It takes an afternoon and a conversation with your IT provider.

How to Turn This Into a Competitive Advantage

Most of your competitors have never heard of the CLOUD Act. Fewer still have conducted an exposure audit. None of them can currently say to a client: "We have assessed our cloud stack for CLOUD Act exposure, documented our Transfer Risk Assessment, and taken specific steps to ensure our data sovereignty commitments are technically supportable."

You can say that by Friday.

For professional services firms (legal, financial, accountancy, HR consultancy): client confidentiality is your product. Being able to demonstrate that you have assessed and actively managed extraterritorial legal risk to their data is a trust signal that your competitors are not currently offering. Put it in your engagement letters.

For NHS supply chain and public sector contractors: procurement requirements for data sovereignty are tightening. Being ahead of this now means you are positioned to respond to those requirements from a standing start rather than scrambling.

For charities handling sensitive case data: trustees have a governance obligation to understand where beneficiary data goes. Completing this audit and presenting it to your board is evidence of due diligence that protects trustees personally, not just the organisation.

How to Sell This to Your Board

Three points. Keep it brief.

The risk: "US law allows American courts to compel US technology companies to produce data they hold, regardless of where it is stored. This includes our Microsoft 365 environment. The FBI just demonstrated this in a documented case in January 2026. We do not know whether our BitLocker recovery keys are currently in Microsoft's cloud."

The cost of inaction: "If a client asks us about our data sovereignty position, or if this comes up in a procurement or audit, 'we never looked into it' is not an answer we can give. The ICO now explicitly requires Transfer Risk Assessments that address government access risk."

The ask: "We need one afternoon to run a structured audit, update our DPIAs, and document our position. This is a governance item. The cost of doing nothing is unquantified legal exposure in every client contract that includes a data residency promise."

What This Means For Your Business: The Five Actions

1. Today: Go to account.microsoft.com/devices and check whether your BitLocker recovery keys are in Microsoft's cloud. Document what you find.

2. This week: Map every US-headquartered vendor in your data processing chain. The list should include every SaaS platform, cloud service, and software tool that touches client or staff data.

3. This week: Pull your last three significant client contracts and check whether your data sovereignty or residency language is technically supportable given that map.

4. Before end of month: Review your most recent DPIAs and update them to address CLOUD Act exposure. If you do not have current DPIAs, creating them is now overdue.

5. Before end of month: Ask your IT provider the direct question about US vendor dependency and encryption key control. Get the answer in writing.

This post is a companion piece to The CLOUD Act and Your UK Business: The Unquantified Legal Risk Nobody Is Testing and Switzerland Rejected Palantir. The UK Gave It the Keys to Everything.