May 18, 2017 by

Lack of Corporate B2B Privacy Policies is a Glaring Security Hole

There is a rarity of privacy policies in contracts shared between businesses that handle large swarms of consumer data which is proving to be a major security lapse.

Corporate privacy policies. They’re readily inferred to as the policies the likes of Uber promise to adhere to in protecting consumer data. However, major companies outsource work and data to other companies and these contracts rarely contain privacy policies, leaving the data at risk.

Take the example of Netflix. It produces plenty of content before users are able to access TV shows and movies on its website or many applications. However, Netflix sends its content to other firms for purposes like subtitling or closed captions, or dubbing before uploading it to its servers. If the cybersecurity policies at any one of these third-party firms aren’t up to scratch, it’s entirely plausible for anyone with privileged access to steal this data. Unfortunately for Netflix, this is exactly what happened when a popular TV show was stolen by malicious hackers who demanded a ransom from Netflix and proceeded to upload it to a torrenting website.

As Evan Schuman writes in Computer World:

[M]ost B2B contracts do more to protect the confidentiality of the contract itself than the boatloads of sensitive data the contracting party is about to turn over.

He points to the example of cloud services, where contracts typically do not mention what cloud vendors could do with the sensitive data they’re able to manage.

At a time when the FCC is rolling back privacy protections under the Trump administration, this concern is even more pronounced.

‘Some municipalities are establishing their own privacy rules, but their focus is squarely on protecting their consumer citizens, not businesses,” Schuman added.

Next year, the European Union’s General Data Protection Regulation (GDPR) is set to go into effect, which companies with a presence in the EU will have to adhere to.  “Those rules may be focused on consumers, but they will immediately ripple into corporate data concerns as well,” Schuman revealed. The new regulation will directly impact companies even if they have no customers or employees in EU countries. This will impact the likes of cloud companies who move data around server farms in locations around the world.

Notably, he revealed:

It [GDPR] focuses on protecting data for consumers, but your employees are, in the eyes of the EU, consumers. It doesn’t matter if the data involved comes directly from employers.

This forward-thinking regulation is exactly the kind that’s sorely lacking stateside.

Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.