Posts

Moving to the Cloud: Privacy

 

Green_GaugeThis post is the fourth in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Few topics related to cloud computing create more passion than privacy.  Knowing how well your organization’s information will be safe-guarded is key to trusting a service provider and the decision to go to the cloud in the first place.

Privacy, while closely related to security, differs in that security addresses access and protection of information, privacy addresses who can access data and how it may be used.

When considering privacy, organizations should start with three documents from the service provider:

  1. Terms of Service / Contract:  Most cloud providers provide clear terms and conditions related to privacy in their terms of service.  These include statements about content ownership and access rights; clauses covering confidential information; statements regarding the provider’s access to customer data and content; and terms related to how the service provider will respond to subpoenas and other third-party demands for data.
  2. Service Level Agreement:  Many cloud providers include terms related to privacy in their service level agreement.   In some cases, the SLA stipulates time frames for addressing privacy issues.
  3. Privacy Policy:  Most cloud providers now have one or more privacy policies.  These policies may be universal to the provider’s service, or may cover specific aspects of the services (such as use of the web site/portal).

When looking to choose a cloud solutions provider, look at all three documents.  Verify that they are comprehensive and clear.  Understand how they address any particular regulatory requirements for your organization.  Validate that they are consistent — that no conflicts or gaps exist that could lead to confusion or misunderstandings down the road.

Make sure the review of privacy policies and looks at the specific customer agreements and policies.  Many cloud providers offer “free” or “consumer” services with different terms and conditions than their paid (or free) solutions for business, government, education, and non-profits.   Many organizations spin their wheels and raise unwarranted concerns by not focusing on the specific, applicable agreements, and policies.

Finally, review the privacy performance of the service provider.  If they have had any sort of breach, or a privacy dispute, understand the nature, scope, and response.  Understand if the breach was provider-related or due to the actions or inaction of the customer.  Assess the appropriateness of the provider’s response given the nature of the issue.

Again, due diligence is key.  A small amount of research, a few questions, and an accurate understanding of how a service provider plans and manages privacy will help organizations determine if the provider meets the organization’s privacy needs and priorities.

Next Post in the Series:  Lock-In

 

Previous Post in the Series:  Provider Reliabilty

Guest Post: Two Customer Reactions to a Data Breach

Originally posted by Bob Siegel, CEO of The Privacy Ref, this article looks at how a company’s response to a data breach can do as much damage as the breach itself.

TD Bank has notified their customers of a data breach through the  loss of a backup tape. Initial reports have said that the tapes contain  the account information and Social Security numbers of more than 267,000 customers on the US East Coast. The tape was not encrypted so, while the bank is unaware of any misuse of the information, anyone who does obtain the tape could easily read the information it contains.

I was with some TD Bank customers the day the data breach was acknowledged. There were two comments made that I hear anytime a breach occurs so I wanted to share them to help you protect your brand image in the event of a data loss.

It took too long to notify customers of the data breach

The first comment the people I spoke with made was that six months was too long for the bank to notify customers that a data breach occurred. TD Bank has said that they were investigating the incident during this period. The customers I spoke with took the view that the bank either had the tape or they didn’t, so why did it take so long to be notified. The customers felt that the delay put their accounts at further risk as well as increasing their exposure to identity theft.

Notice of a data breach to your customers needs to be timely. The definition of timely rests on the perception of the customer. Any time beyond the customers’ perception of timely may be seen as the investigation not having been a priority or, as seen by the comments above, that you are putting the customers at additional risk.

The more complex a breach is perceived to be the more time customers will tolerate for notification. For example, an intrusion into your systems is perceived to take longer to investigate than something that has been misplaced.

More should have been done to protect against the data breach

Hindsight is 20/20 and we begin thinking “if only we had….”. Hopefully we wil learn from each others’ experiences and improve our own programs.

In this case more should have been done to protect the data. TD Bank has customers in Massachusetts.  MA 201 CMR 17.00 provides standards of protection for personal information for residents of this commonwealth. Under this statute, the encryption of personal data that resides on portable devices is required. Personal information under the Massachusetts law includes financial account information or social security number in conjunction with first name or initial and last name. Massachusetts includes tapes as portable storage devices.

In my conversations with the bank’s customers they began to question the overall security procedures used in the bank’s data processing. This may be a large leap in thinking, but one that someone unfamiliar with IT practices may make.

Privacy professionals today recognize that for any organization it is not if a data breach will occur, but when will it occur. How the public perceives your communications about, response to, and the circumstances of the breach will have an impact on your brand image. Preparing a response plan before a data breach occurs is something every organization should do to minimize any impacts, including  brand damage, that may occur.

 

Google Apps and Google’s New Privacy Policy

The cloud world is buzzing as Google announced that effective March 1, 2012, it would consolidate more than 60 privacy policies for different services into a single, simplified policy covering all Google services.  Not surprisingly, we are already fielding calls from our Google Apps for Business / Education / Government customers with questions about the impact of the change.

Rest easy.  Here are the answers.

Not Much is Changing

The consolidated privacy policy is not changing how Google collects or uses information with individual services or across services.  The policy is providing a simpler, easier to understand document that is consistent across all services.  Google has also removed components of its existing privacy policies that are redundant with content in the Terms of Service policy for each service, which are also being updated and consolidated into a single, consistent policy.

Note that the Privacy Policy address how Google collects and uses information about individual users, but that the Terms of Service dictate how Google treats content you place or store using Google services.  To understand how your information is protected, you must review both documents.

Public and Free Services versus Business / Education / Government Services

The new Terms of Service and Privacy Policy provide a baseline for all services.  The Terms of Service clearly states that

“Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services.”

Google Apps for Business, for Education, and for Government all have these additional terms and settings.

Confidentiality in Google Apps for Business / Education / Government

The Terms of Service for Google Apps for Business, for Education, and for Government each define Confidential Information as follows:

Confidential Information means information disclosed by a party to the other party under this Agreement that is marked as confidential or would normally be considered confidential under the circumstances. Customer Data is Customer’s Confidential Information.

Very simply, the agreement defines all user/customer content in these services as confidential.

The Terms of Service prevent Google from accessing or disclosing customer information without permission and guarantee a standard of care related the security, availability, and privacy of customer information.

Exceptions

There are exceptions when Google may disclose or publicly display Google Apps for Business / Education / Government customers.

  1. A User Marks Content as Public:  If a user marks content as “public” or as “publish on the web”, the user is giving permission to Google and instructing Google to index the content in Google search engine and to make the content available to everyone publicly.   Google Apps administrators can limit user permissions to prevent them from marking content as public.
  2. Required Disclosure:  Per the Terms of Service, Google may “… disclose the other party’s Confidential Information when required by law but only after it, if legally permissible: (a) uses commercially reasonable efforts to notify the other party; and (b) gives the other party the chance to challenge the disclosure.”

Summary

While Google’s consolidation of privacy policies makes for great, sensational headlines, the reality is that their is no material change in how Google addresses information privacy.  For Google Apps for Business, for Education, and for Government customers, there is no change what so ever.

Friday Thought: What does SAS 70 really mean?

When talking about security of cloud solutions, we often mention that Google Apps is SAS 70 Type II certified.  While it sounds impressive, what does it really mean.

SAS 70 is an accounting audit standard for operational policies and procedures.  To achieve certification, you …

  1. Must have best-practice policies and procedures in place
  2. Must be able to prove that you follow policies and procedures
  3. Must have an independent 3rd party audit your operations on a regular basis to validate the policies and procedures and verify that they are followed.

SAS 70 Type II reflects a level of certification for data center and IT operations that includes:

  • Physical security of buildings and data centers
  • Logical security (network, systems, data, etc)
  • Privacy
  • Incident management and availability
  • Change management
  • Organization (roles and responsibilities)
  • Administration (personnel, documentation, funding, etc.)

So while it sounds impressive, SAS 70 Type II certification really is impressive!

Most businesses cannot or choose not to incur the cost and effort to achieve SAS 70 Type II certification for their internal systems.  With the certification, Google is confirming the security and safety of your data continuously at a level that likely exceeds the security of your in-house networks and systems.