Eye on the Carriers By Johna Till Johnson, Network World, 08/07/06

Last week I wrote about privacy challenges that can affect companies, particularly those doing business globally. Here are some best practices for ensuring that your company stays on the right side of those issues:

Have a privacy policy. Yes, it's basic. But you'd be surprised how few U.S.-based companies have a formal privacy policy. It should expressly cover how you're protecting employee as well as customer and business partner data; under precisely which circumstances that information is released (and to whom); the measures you take to ensure confidentiality; and any special cases (for example, the specific scenarios under which you will and won't reveal sensitive information to government agencies - particularly as pertains to governments outside the United States).

Network managers should pay special attention to how the policy potentially affects site-to-site transmission, as impacts could be far-reaching: Depending on your policy, you may need to deploy site-to-site or end-to-end encryption, identity management or location-based restriction of services. Finally, keep in mind that in addition to national law, your organization is likely to fall under local, regional or vertical-industry regulations (Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley or the California Database Breach Notification Act SB1386).

Make sure the policy is in line with the regulatory environment in every region and country in which you'll be doing business. This means performing a gap analysis between your policy and the laws of individual countries. Are your customer data-protection measures in line with what's required in the European Union, Canada, Japan and other countries with stringent privacy requirements? Does your policy for providing sensitive information to governments conform with the local and regional calls? If it doesn't, how does the company plan to rationalize the difference?

Require telcos and other global service providers to detail their policies for privacy with respect to the above issues. It's particularly important to clarify under which circumstances carriers will release information to their local governments, under CALEA or its equivalent. Additionally, find out the specifics about how telcos handle traffic monitoring and measurement - if a carrier is tracking customer data for the purposes of traffic monitoring, for example, there may be specific privacy constraints on how long this information is held and to whom it's exposed.

Require telcos and providers to reveal their privacy practices - how they implement the aforementioned policies. Practices are the "how" that corresponds to the "what" of policies - for example, if a policy is to keep customer data secure, how is that data secured? What forms of encryption are deployed, and where? Which entities are serving as certificate authorities or key issuers? Keep in mind that the best time to do this is during contract negotiations, when you can request such information as part of the Master Services Agreement.

The bottom line? An ounce of prevention is worth a pound of cure. Holding these discussions early on can prevent lawsuits and leave all parties clear on what to expect.