VARs and MSPs are often tasked with collecting and monitoring their customers' personal data, but how can they avoid allegations of spying and information tampering?
Over the past several years, Internet privacy and the rights and restrictions of companies storing personal user data has become one of the largest and most controversial topics in the IT community. Most recently, the topic of individual Internet privacy has turned toward the rights of minors, particularly after November’s vTech hacking and recent allegations that suggested Google was spying on K-12th graders using its Chromebooks for Education. Unfortunately, these are just a few examples of the types of information loss that have become all too common in our society.
Despite the constant chatter about the subject of data privacy, the role of managed service providers and value-added resellers is often overlooked, chiefly because the general public is unaware of their involvement in enterprise data storage and retrieval. So where do MSPs and VARs fit into the big picture when it comes to protecting customer data?
According to Ron Culler, founder and CTO of Secure Designs Inc., MSPs and VARs who deal with sensitive customer information have the responsibility to follow their personal ethical code when it comes to what data they should and should not analyze. The same principles apply to large corporations; in the case of Google allegedly spying on students, this means creating and following a strict moral code to refrain from violating users’ right to privacy.
“The amount of information that’s out there owned by individual organizations like Google is fairly large,” said Culler, in an interview with The VAR Guy. “If they can connect that information with other data sources it can actually deliver them a pretty powerful tool to improve their product. But at the same time if someone with the wrong intentions gets a hold of it it’s actually a pretty powerful product for other intentions.”
Culler, who spent ten years working as part of the United States Navy’s Cryptologic Technician Maintenance division, is the former president of LAN Technologies, a network consultancy firm, and later founded Secure Designs in 2001. As a security expert, he said it is important for MSPs and VARs to carefully research and understand the type of data their potential customer deals with to be sure they are capable of meeting compliance and regulatory needs before accepting any work. Failure to do so can result in monetary fines, government seizure of data files, and a loss of customer trust. For example, businesses can protect themselves from potential backlash by HIPAA covered entities by setting up a Business Associate’ Agreement prior to performing any services.
It is also critical for MSPs and VARs to know and abide by the federal as well as state and local privacy laws in the places where they do business. Each of the fifty U.S. states has its own specific data privacy law (and in certain states, no law at all) so it is critical for service providers to understand the specific rules and regulations of the state where their data is being housed. This goes for customers in other countries as well, where data privacy issues are completely different from those in the United States.
“In today’s global, digital economy, my data -- if it is stored in the cloud -- can travel around the world,” said Culler. “And when it’s outside of the United States, I don’t have control over it anymore. The country that it’s sitting on a server in, that’s the country that ultimately has control.”
Unfortunately, in many cases the difference between an MSP or VAR simply monitoring customer information to provide a service and actually spying on users comes down to personal and company ethics. The ability to spy on individuals is all too easy in the Internet age, but what hasn't changed is the importance of adhering to a strict policy to do no harm against others. As you can imagine, that philosophy is much easier said than done, especially when millions and billions of dollars are to be made.
What are your thoughts on the role of MSPs and VARs in protecting customer data? Sound off in the comments or tweet @MCusanelliSB to share your opinion.