3 hours 39 minutes
module 3.8 vendor privacy examples.
So in this example we see which comes from amazon. Many of you are probably familiar with amazon or amazon web services
where organizations use their infrastructure or their cloud environments to run their computing systems.
They have a publicly facing what's called the amazon share responsibility model
for those of you who worked with amazon uh may be familiar with this. Maybe you aren't, but they use this graph to essentially create a point of demarcation of where you are responsible for and what they are responsible for.
We can see here on the customer side at the top and blue your response for customer data, the platform, applications, identity and access management, operating system, network and firewall configuration. Client side data encryption and data integrity authentication, server side encryption, file system and or data
networking, traffic protection, encryption integrity and identity.
So just as if you were operating your systems on premises or if you are you are responsible for all of those elements now, what they're responsible for or the cloud is they're responsible for their infrastructure, essentially the software that runs A W. S, the compute storage, database networking, their hardware, AWS global infrastructure, so their data centers
and the regions, the availability zones and then their edge locations.
Now some of you privacy uh pros out there may look at this and say, well, wait a minute, uh is amazon essentially offloading some responsibility to their customer in the event that there is a problem at their data center etcetera?
Well, possibly, but that's something that you would have to work out with them. Uh You know, some of you, I have worked with amazon who had no experience, there's no issues. Uh and some of you may have either way, I think it's important to understand, at least from the practitioner standpoint, and when you're
signing agreements with large organizations
that some of these agreements may lean more towards uh you know, their favor than yours as it relates to privacy concerns. However, it's important to note that a lot of these large vendors have made concessions and made adjustments uh to uh
areas that where privacy is much more of a
of a factor, specifically in the EU and other areas where there's a lot of heavy and strict privacy regulations, so I would not necessarily take this uh
as the end all be all. However, if you're working in certain areas, make sure you contact your vendor to make sure that it's clearly understood what they are responsible for and what you're responsible for.
This is another example. I d identified this document here that is really focused on more of the health
information that's shared uh here in the United States. We have HIPAA, which is an act that focuses on ensuring that uh
P. H. I. Or a person's health information is essentially treated like P. Ii. That it's only used for specific reasons. It's not shared publicly. Uh And that their security rounds etcetera. And this is not a hip hop course by any means or we're going into the high tech Act. But I wanted to
to circle some things here
uh that you know, you as a manager may want to consider when it comes to sharing either employee information that's health related or if you work with a health care organization in the U. S. Or with patients from the U. S.
Uh does A. B. A. A. Which is a business associate agreement with blank ensure my organization's compliance with HIPAA
in the high tech act? Well, technically no. By offering A B. A. Which is essentially an extension of responsibility from a covered entity to a business associate that that vendor relies on to help process and maybe control information. It does not guarantee compliance a lot of times it's like that
there may be some attestation language
or amended with A. B. A. But that does not automatically ensure compliance. So when, when you're working with vendors or if you are one, it's important to make sure that your B. A. Uh in the relationship that's been agreed upon is understood and audited and that there's no gaps that exist
uh can blank modify my organizations be a blank cannot modify the hip of B. A. Because blank services are consistent for all customers. And so must follow the same procedures.
So for the where this may be an issue is, let's say there's a problem with the B. A. And you think, well, I would like, you know, this type of coverage, I would like a little more strict
uh ownership or or specific provisions in this be a uh for my information or or vice versa. And I'd like to talk about this. Well, it's important to note that, you know, when you're talking with a large organization that provides storage or process or controls information
that that there is a little bit of a concern with having to modify or make special uh concessions as it relates to just you. Uh it can create a burden on their side as well. So not that those conversations can't happen, but I would certainly make sure you you have the uh I would say the political or the financial
reasoning behind why that would be something that the vendor should consider
and also note to that, that's probably going to come out and expense to give you that type of privilege to just be aware of that as you go through your program
uh, in managing these relationships with covered entities as it relates to hip hop and, and how can I get copies of the audit report? The blank portal provides independently audited compliance reports, etcetera. So this organization has a portal where they've got, uh, you know, whether it's copies of certifications
or, or audit reports or agitation documents that can
validate that they've been audited and that they take security and privacy uh,
But nevertheless, there's a way to contact them and get that information. So just again, a couple of examples
with some providers here, as it relates to how information is used uh, using their technology.
Here's a screenshot from a popular app that's used, um you know, they're, this app doesn't necessarily have identifying information on a lot of their uh documentation, you have to be in the app. So why reason I chose this particular app is
they did a really good job of
and you can look on this on the right side. There was to see for legal reasons and to protect the platform.
The third book says, enforce our terms of service. Uh you know, they're certainly going to make sure that they can
you know, share your personal information in response to a legal legal obligation or if they determine sharing your information is reasonable
uh and to enforce their terms of service, many users will probably think wait a minute your terms of service could change. So, you know, there there could be a problem here. Well, that's something to talk to your counsel about and whether that's a risk you're willing to take, uh you know, there's certainly a lot of information the news at the time of this recording or certain apps could potentially be banned
uh in certain countries because that information is being moved across international borders and the terms of service is pretty loose with how that information is going to be used. So it's just important to note when you when you have an app, whether you're developing that or you're using an app that has uh
access or processing p I that you you look at that closely. I know it's not easy to do, but it's something that you have to have on your radar in connection with sale or merger. We may share your personal information while negotiating or in relation to, uh, change of corporate control, such as restructuring, merger or sale of our assets.
And I'll be the first to tell you that not all of these opportunities end up with a sailor merger. So, you know what, sometimes it's important to know what happens with that information after it shared,
you know, is that other organization going to retain it? And how long now if I'm an individual and I reach out to this company and ask the question, uh, they may not tell me or maybe, you know, it's, it's going to be very difficult to find out. However, uh,
if you're working in a privacy regulated environment that's very heavy, you might have that ability to do so and and then last upon your further direction with your permission or upon your direction, we may disclose your personal information to interact with a third party for other purposes. Uh So they are saying, you know, yes with your permission, you know, we may disclose this,
but there's certainly some other instances here where, you know, they've given themselves the ability to do that. So that's why reading these is important from a privacy standpoint, especially if it's a risky endeavor for you and your your organization.
So quick question privacy notices or statements from vendors should include away for a consumer to blank an organization,
Sue, contact or spam.
Well, the answer is contact. Hopefully everything you saw here. And if you go to that you are I shared in one of the images. There are ways to contact these organizations and you're certainly following uh, suit with that. So, what we learn in this uh
this module discuss private examples from several cloud vendors and reviewed a privacy example from a mobile act vendor.