How to Identify Trustworthy vendors in the cloud – TRUSTe

How to Identify Trustworthy Vendors in the Cloud

TRUSTe WHITEPAPER

TRUSTe Inc.

US: 1-888-878-7830

EU: +44 (0) 203 626 0109

www.truste.com

How to Identify Trustworthy Vendors in the Cloud 2

It’s All About Data

In the modern business landscape it’s rare to be able to talk about customer relationship

without the discussion centering on data. Data is at the center of understanding your

customer and gaining and maintaining that customer’s trust. What data are you collecting?

How are you using it? With what types of third parties are you sharing this data? Is there

any onward transfer out of your direct control in your workflow? Is all of the data secure at

every juncture and storage location?

Data is a critical asset and with this asset comes critical responsibility: How do you balance

the desire to use data that you collect while also respecting the privacy of those from

whom you collect it? How do you establish and maintain that critical component of trust?

It is a balancing act and your customers expect you to make the correct decisions and “do

the right thing” 100% of the time regarding their personally identifiable information (PII).

Little or no room for error

It does not matter how large or famous your company may or may not be. Likewise, the

products or services you offer are not really relevant. If you are collecting and storing any

customer or potential customer data you will—like so many others—be held responsible if

you violate their trust.

And, one of the primary factors in what you must understand, monitor, and police is a

constant, ever-increasing complexity that is inherent in the nature of Cloud-based business

as more and more services become available via the web. If you are to remain competitive,

you are very likely going to have to make decisions about how your company leverages

the advantages of the Cloud. Of course, as your data ecosystem expands the potential for

missteps also increases and risk factors are multiplied.

2011Apple and Google

weather “location gate”

privacy scandal over

their mobie devices.

Apple changes collection

practices in response.

2011Playdom fined $3 million

for violating children’s

online privacy.

2011Broken Thumbs Apps

settles FTC charges that

it violated children’s

privacy law – company

is fined and forced to

destroy the data.

2011Netflix faces multiple

privacy lawsuits over

its data storage

practices.

2011Acquisition of Borders

delayed due to questions

over privacy rights of

46M email subscribers.

2011OnStar forced to reverse

location tracking policy

following privacy outcry.

2012Path social network

app accesses

address books without

permission.

2011nebuAd settles $2.4

million privacy lawsuit

over behavioral

targeting practices.


There are two primary ways for trust to be breached and lost:

• The mishandling of data by you or trusted partners in your ecosystem

• Failed security, the leakage of data to unauthorized agents or eyes by you or partners

It is important to realize that regardless of how you may be implicated in legal action if a

breach occurs—even at a distant node in your ecosystem—your customers and the court of

public opinion will still be holding your brand accountable for any perception of injustice or

sloppiness in the care of personal information because it was to you that the information

was originally entrusted.

Also, if you are engaged in international business or you are partnering with others whose

data centers are established across borders, additional layers of rules, regulations, and

customer expectations may apply. You may be required by your business practices to self-

certify under the EU Safe Harbor framework or put other contractual mechanisms in place

to assure that your European customers’ personal information is protected according to

European standards. Or, for example, if a subset of your online data processing involves a

partner in Asia handling data collected from a French customer, you must ensure that the

related data transfers meet European Union PII standards adequately. US-EU Safe Harbor

covers data transfers to the US only. If customer PII is transferred to other countries outside

of this domain, then the appropriate legal mechanisms must be in place; such as model

contracts or binding corporate rules (BCRs). As you make every decision about outsourcing

or partnering to increase efficiencies in time and cost you are also inviting increased

complexity, whether you are aware of that factor or not.

Vetting Partners and Service Providers

Building trust and looking at trust is not only important within the walls of your enterprise

but beyond and throughout your partner network. With the rise and easy availability of

cloud services, companies are engaging in relationships with more and more third party

service providers and partners. This often provides flexibility and cost savings that you

cannot create on your own. If there are already three other wheels out there optimized for

a process or capability that you do not already possess, frequently it does not make sense

to reinvent that wheel for the forth time, paid for with your own resources. However, when

considering which of the three alternative wheels might be the best fit for your needs, it is

wise to vet all options carefully for the bigger picture of your business. You must assure that

if the transfer of any data regarding personal information must occur for the relationship

to be productive that your vendor or partner will be just as respectful of or careful with the

data as you are. Wheel number two may initially seem like the best option due to obvious

costs, etc., but wheel number one or number three may be better equipped to protect your

overall reputation.


Before you allow customer data out of your control into the hands of a partner/vendor

you—or someone working on your behalf— should vet them for all of these data-centric

functional areas:

Collection Limitation and Use Minimization — Collecting a lot of data from or about your

customers is tempting from a business perspective. Collection limitation—collecting data

that is reasonably necessary to fulfill the purpose for which it was requested—is a key

element of data protection law in most jurisdictions. Also, you should not be using data for

purposes that were not disclosed to your customers at the time the data was solicited and

received. The general guiding principle is collect and use the minimum required information

to best lower your risk.

Access and Storage — Data containing personally identifiable information (PII) should

only be accessed by authorized entities and it is possible that international requirements

may force you to allow the individual about whom the data was collected to see it and

even modify it at any time. Of course, any security breach—intentional by criminals or

unintentional by your or your agents—could have a catastrophic impact on your brand.

Onward Transfer — You may only share PII with others with the permission of the individual

involved. You must obtain that consent at the time the data is collected and anyone

receiving onward transfer data must abide by all of the rules that are established and

agreed to at the time of collection as well. Special additional care must often be taken when

this transfer involves the data’s crossing an international boundary.

Actual Practices — The ultimate “go to” guide for what you say you are doing and what you

should actually be doing is typically your privacy policy. It is ideal that it be written in clear

language that does not intimidate your customers and that it be unified for all business units

where possible and easily referenced. Your customers must be able to understand precisely

what you intend to do with their PII and why. Then of course, you (and your vendors and

partners in the Cloud) must abide strictly by your promises. You must all do what you said

you would do when you collected the data originally.

And in addition to care with these core domains, when your business relationships change

you must have assurances in place for re-obtaining all control of any data that has been

out of your domain. You may also need assurances in some cases that customer data at a

vendor or partner is destroyed.

The Breadth of Your Responsibility

Building trust and looking at trust is not only important within the walls of your enterprise

but beyond and throughout your partner network. From a customer’s perspective, if a ball

is dropped, it doesn’t matter where it’s dropped if they feel harmed by it. This means that

everyone in your business ecosystem must be following the rules that you establish with

your customers, at all times and in every scenario that PII comes into play.

NAMELOCATIONPHONE NUMBER

P R I VA C YP O L I C Y


Contracts must be in place to make sure that every aspect of care that is required is actually

being observed consistently by all relevant parties who come into contact with the PII of

your customers. If a partner or vendor will be engaging in onward transfer, that must be

taken into account. And if they are not contractually empowered to transfer customer data

to other entities, then doing so is a violation that might cost you both dearly. A breach at

one of your partner’s vendors—even two or three degrees of separation away from you—can

be just as damaging to your customer and therefore to your customer’s trust relationship

with you as if it had occurred due to your own servers or handling practices.

It’s easier with TRUSTe

Your company may already be in good shape in terms of having policies and contractual

protections in place that you and your customers need. However, certification by a privacy

specialist like TRUSTe can greatly expedite your third party contracting processes. Privacy

certification processes augment basic security audits. Privacy-centric evaluations examine

and understand data from the end-user perspective, not just the nuts and bolts that secure

data on the back end. It is in any company’s best interest to require the service providers

they are evaluating to have qualified third party privacy certification as a basic criterion for

partnering or outsourcing.

Partner’sVendor

Contract



Partner’sVendor

Contract



Vendor

Contract



Vendor

Contract



YOU




When all of the nodes in your ecosystem have been certified for safe best practices, you

have far less to worry about when forging new relationships or even implementing new

programs or processes that were not in place when original contracts were signed. TRUSTe

also assists clients in avoiding embarrassing and harmful problems through its privacy

feedback mechanisms. These help companies to identify privacy mishaps and pitfalls early,

before they potentially become public relations nightmares. TRUSTe can also serve as a

liaison in dispute resolution scenarios if necessary.

Success at Zendesk

Zendesk was created back in 2007 by two Danish entrepreneurs who had a vision of

providing great customer service through a SaaS product. Zendesk’s web application

provides help desk ticketing solutions and knowledge management capabilities for their

customers. It is a platform that allows customers to create a help desk to in turn assist

their customers. It functions on two levels. Zendesk—in collaboration with TRUSTe—has

developed best practices for security and PII policies and integrated those wherever

possible into their platform. They also educate and encourage their customers in these

best practices thereby perpetuating a mindset and culture of treating data as securely as

possible and not violating the privacy of their end-user customers.

Partner’sVendor

Contract



Partner’sVendor

Contract



Vendor

Contract



Vendor

Contract



YOU




However, complexities like integration with Facebook, Twitter, and other emerging web

services and phenomena continue to generate ongoing security and privacy implications

during the third party integration process. Zendesk’s customers, and their end-user

customers in turn, expect a consistent level of privacy and security policies to be in place

and for those to be uniformly enforced across the customer experience spectrum. So, as

Zendesk’s clients integrate with more and more third parties, they have to carefully and

constantly evaluate whether or not they can maintain their own standards.

Zendesk has over 100 third-party integrations including CRM products, and a broad variety

of others as well. This translates into over 20,000 clients in 140 countries—including both

small and very large businesses. Zendesk finds that their larger corporate customers tend to

be more sophisticated about security, whereas smaller customers, worry less about security

and PII domain concerns if they haven not yet experienced a breach. At times Zendesk finds

itself needing to educate customers on good security policies and practices.

TRUSTe has a multi-year relationship with Zendesk. Their data management, both in theory

and technical practice, is verified. Their privacy policy is now set to hold up at the highest

standard. TRUSTe educated Zendesk on how to modify and optimize the privacy side of

their business and Zendesk is now propagating best practices at every opportunity.

15 Years of Building Trust into Business

As a leading provider of data privacy solutions and certification services for 15 years—

small and large enterprises alike have come to rely on TRUSTe to assist them in designing

and implementing comprehensive data privacy strategies. TRUSTe fully understands the

complexities of identifying completely trustworthy vendors in the Cloud. If your partner or

vendor ecosystem needs to expand—or if you want to become that trustworthy, certified

vendor or partner—we can get you ready on every critical axis.

Please visit us on the web at:

truste.com/cloud

US: 1-888-878-7830 | EU: +44 (0) 203 626 0109 | www.truste.com © 2012 All Rights Reserved

How to Identify Trustworthy vendors in the cloud – TRUSTe

Technology

Transcript of How to Identify Trustworthy vendors in the cloud – TRUSTe