PROTECTION AGAINST RANDOM TERRORIST INFORMATION WARFARE TACTICS

Are application service providers (ASPs) and hosting providers selling customer information? How can private companies protect their data against random terrorist information warfare tactics? The answer lies between the implementation of data-protection techniques and firewalls-both are briefly covered in this part of the chapter.

An information security officer for the New York State Office of Mental Health is mulling the application service provider (ASP) model. But he's afraid that patient data could end up in the wrong hands.

Data security concerns, too, tarnish ASPs' allure for government clients. Think of the commercial windfall if any of these hosting companies started selling social services data or any other government agencies' data. It's unacceptable, but it could happen. And indeed it is.

According to a recent industry survey, it was found that 30% of application-hosting providers were selling their customers' data. What is most disturbing is that the hosting companies all had privacy policies in place, which they were violating.

The would-be gatherers of the stolen data aren't always advertising agencies or marketing firms. They could be random terrorists seeking out corporate data (any data) to destroy as part of an IW tactic. For example, one ASP executive reported software vendors asking him to host their applications for vertical market customers so they could mine the customers' databases. At least, that's what they claimed to be doing. The vendors wanted to act as a purchasing agent between the members of those vertical markets, enabling them to sift through the members' databases for information to cross-sell between the member companies.

If the customers agree, it could be great. But that is a big if. Most companies don't want anyone mining their data.

Selling customer data is taboo for most ASPs, whose executives cringe at the prospect and chalk it up to a few bad apples who will soon be out of business. If it is happening, it could have terrible implications on the rest of the industry. But most ASPs view their customers' data as their sacred asset and would never consider selling it. An ASP should also be bound to a privacy policy as part of the service contract.

Prevent your data from being sold up front by making them sign a contract that says they can't sell it. And make sure you take a close look at the wording to see what constitutes a sale or transfer of data (see sidebar, 'Data Protection Measure Tips').

Application-Hosting Providers

1. Consider working with a lawyer or auditing firm when writing a privacy contract

2. Limit staff access to data and set up multiple levels of security

3. Require employees to sign a statement that they will abide by security and privacy policies

4. Separate the data center from corporate offices

5. Have one-door access to the data-center

6. Install security cameras in the data center

Customers

1. Examine a privacy policy's wording to understand what constitutes a sale or transfer of data

2. Keep the 'what-ifs' in mind: If providers go bust or are acquired, what happens to the data?

3. Do a background check on the provider and check references

4. Look for seals of approval

What if the hosting provider goes out of business? Is it permissible to sell its customers' information as an asset (as on-line retailer Toysmart.com tried before being rebuffed by the Federal Trade Commission)? Or what if the ASP is acquired? Will the acquirer stick to the same privacy agreement (see sidebar, 'Privacy Agreements')? An ASP should be able to answer all these questions.

What's stopping hosting providers from selling their customers' data? Ethics and little else, according to industry watchdogs.

Companies are being tempted to sell valuable information at their disposal because there are no set legal ramifications against doing so. Right now, a lot can be bought and sold rather freely.

And that includes the business sector. The pressure right now to sell data applies to business information as well as to consumer data. People tend to overlook that.

Hosting providers can be held accountable if they violate their privacy policies, as the Federal Trade Commission suit against e-tailer Toysmart.com shows, but privacy policies often are more vaporware than reality. Privacy policies have more holes than Swiss cheese.

Customers must take some of the blame for flimsy privacy policies because many only skim over privacy statements in their rush to sign on with an ASP. A lot of ASPs are offering free services. They say, 'Sign up now and get the first few months free.' And in their rush to sign on, customers don't even look at the privacy policy.

However, the ASP industry aims to police itself. The ASP Industry Consortium is working with the World Intellectual Property Organization to establish dispute resolution procedures between ASPs and their customers, covering such areas as copyright/proprietary rights infringement and loss of data or data integrity.

Companies hosting data also should take measures to prevent internal and external 'marauders' from gaining access to customer information. Many ASPs, for example, check the backgrounds of the data center staff and restrict their access to data. Often, the customer, not the ASP, chooses who gets access.

Another safeguard is making data center employees pass through several security levels, including physical security guards, key-card door access, and even biometric hand scans. A common mistake made by ASPs is housing the data center in the same facility as a corporate office.

For example, it's too easy to say, 'I work with the company,' flash an ID and walk right in. It's easier to be able to bypass external data center security measures by pretending to be a member of a nightly cleaning crew and telling a security guard that he or she was with a group already in the building.

To test an ASP's privacy policy and security measures, customers should hire an outside auditing firm. Privacy group TrustE, for example, uses seeding to make sure that companies live up to their privacy policies. Global Integrity probes hosting providers' networks to find out if it can bypass their security schemes.

Customers should test an ASPs' security measures up front and use an auditing firm to test them on an ongoing basis. Some ASPs are even getting in on the auditing act. Breakaway Solutions, for instance, recently formed its own managed security practice. The Boston-based ebusiness integrator and ASP conducts security audits, builds security architectures, and performs ongoing security breach tests for customers.

Another data safety avenue for ASPs are seals of approval from such organizations as the Better Business Bureau and TrustE. TrustE, San Jose, California, gives out privacy seals of approval, called 'trustmarks,' to Web sites. It's also considering expanding the program to include software companies. To get a privacy seal of approval, software companies have to disclose their data-gathering and dissemination practices.

And that might become more common. ASP clients are sharpening their scrutiny of data privacy. Customers of ASPs are taking a long look at privacy policies. And most won't work with ASPs that don't have a solid one in place.