Missing protection: Corporate B2B privacy policies

Evan Schuman

When most IT execs hear the term “corporate privacy policy,” they think about what their company promises its consumer customers in policies such as those from LinkedInUber and Evernote. But what about policies in contracts entered into with businesses that will handle data from or about your company? Those are rare, and that is a massive security hole.

Let’s start with the low-hanging fruit. Think about the various Android and iOS devices your employees use. The devices constantly monitor their users. And I mean constantly. It used to be that users could go private by entering airplane mode and making sure that Wi-Fi was deactivated.

At least on iOS — thanks, Apple! — no more. With a recent OS upgrade, my iPhone now reacts with a “Siri not available” whenever my phone is in airplane mode and off of Wi-Fi and I say the magic “Hey, Siri” phrase. That means that Siri, though unable to access its databases, is still listening, or it wouldn’t know to say that.

If you purchased your employees’ smartphones, did you include in the purchase agreement any privacy rules? Is your company willing to pass on devices that don’t comply? If enterprises across the U.S. started insisting on privacy limits, I’d put serious money on the prospect that we’d see changes quickly.

This issue extends beyond smartphones. There’s also the cloud. Do your contracts with cloud vendors include language limiting what they can do with the highly sensitive data they will be able to access?

Contrast that with the typical employment agreement, which these days is likely to require that all confidential material be protected unto the grave and five years beyond. Meanwhile, most B2B contracts do more to protect the confidentiality of the contract itself than the boatloads of sensitive data the contracting party is about to turn over.

This is critical because, with the FCC rolling back privacy protections under the Trump administration, companies are on their own when it comes to protecting their data confidentiality, to an extent greater than even a year ago. Some municipalities are establishing their own privacy rules, but their focus is squarely on protecting their consumer citizens, not businesses.

Then there are the privacy implications of dealing with companies in other countries. Before we delve into the privacy issues with companies that are based in other countries, don’t forget the basic data sovereignty issues with cloud companies that move their data — by which I mean your data — around from server farm to server farm in lots of different global locations. Every time the data shifts countries, the inherent protections (assuming that local government insists on any) change. That’s why your direct agreement with that cloud (or what have you) company must be explicit and international.

1  2  Next Page