Vendor Privacy Examples

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
module 3.8 vendor privacy examples.
00:05
The learning objectives of this module will be to analyze the cloud vendor privacy examples and review an app privacy policy.
00:15
So in this example we see which comes from amazon. Many of you are probably familiar with amazon or amazon web services
00:22
where organizations use their infrastructure or their cloud environments to run their computing systems.
00:31
They have a publicly facing what's called the amazon share responsibility model
00:37
for those of you who worked with amazon uh may be familiar with this. Maybe you aren't, but they use this graph to essentially create a point of demarcation of where you are responsible for and what they are responsible for.
00:54
We can see here on the customer side at the top and blue your response for customer data, the platform, applications, identity and access management, operating system, network and firewall configuration. Client side data encryption and data integrity authentication, server side encryption, file system and or data
01:11
networking, traffic protection, encryption integrity and identity.
01:14
So just as if you were operating your systems on premises or if you are you are responsible for all of those elements now, what they're responsible for or the cloud is they're responsible for their infrastructure, essentially the software that runs A W. S, the compute storage, database networking, their hardware, AWS global infrastructure, so their data centers
01:37
and the regions, the availability zones and then their edge locations.
01:40
Now some of you privacy uh pros out there may look at this and say, well, wait a minute, uh is amazon essentially offloading some responsibility to their customer in the event that there is a problem at their data center etcetera?
01:56
Well, possibly, but that's something that you would have to work out with them. Uh You know, some of you, I have worked with amazon who had no experience, there's no issues. Uh and some of you may have either way, I think it's important to understand, at least from the practitioner standpoint, and when you're
02:14
signing agreements with large organizations
02:16
that some of these agreements may lean more towards uh you know, their favor than yours as it relates to privacy concerns. However, it's important to note that a lot of these large vendors have made concessions and made adjustments uh to uh
02:35
areas that where privacy is much more of a
02:38
of a factor, specifically in the EU and other areas where there's a lot of heavy and strict privacy regulations, so I would not necessarily take this uh
02:49
as the end all be all. However, if you're working in certain areas, make sure you contact your vendor to make sure that it's clearly understood what they are responsible for and what you're responsible for.
03:01
This is another example. I d identified this document here that is really focused on more of the health
03:09
information that's shared uh here in the United States. We have HIPAA, which is an act that focuses on ensuring that uh
03:22
P. H. I. Or a person's health information is essentially treated like P. Ii. That it's only used for specific reasons. It's not shared publicly. Uh And that their security rounds etcetera. And this is not a hip hop course by any means or we're going into the high tech Act. But I wanted to
03:39
to circle some things here
03:43
uh that you know, you as a manager may want to consider when it comes to sharing either employee information that's health related or if you work with a health care organization in the U. S. Or with patients from the U. S.
03:57
Uh does A. B. A. A. Which is a business associate agreement with blank ensure my organization's compliance with HIPAA
04:04
in the high tech act? Well, technically no. By offering A B. A. Which is essentially an extension of responsibility from a covered entity to a business associate that that vendor relies on to help process and maybe control information. It does not guarantee compliance a lot of times it's like that
04:24
there may be some attestation language
04:27
or amended with A. B. A. But that does not automatically ensure compliance. So when, when you're working with vendors or if you are one, it's important to make sure that your B. A. Uh in the relationship that's been agreed upon is understood and audited and that there's no gaps that exist
04:47
uh can blank modify my organizations be a blank cannot modify the hip of B. A. Because blank services are consistent for all customers. And so must follow the same procedures.
04:59
So for the where this may be an issue is, let's say there's a problem with the B. A. And you think, well, I would like, you know, this type of coverage, I would like a little more strict
05:09
uh ownership or or specific provisions in this be a uh for my information or or vice versa. And I'd like to talk about this. Well, it's important to note that, you know, when you're talking with a large organization that provides storage or process or controls information
05:28
that that there is a little bit of a concern with having to modify or make special uh concessions as it relates to just you. Uh it can create a burden on their side as well. So not that those conversations can't happen, but I would certainly make sure you you have the uh I would say the political or the financial
05:49
reasoning behind why that would be something that the vendor should consider
05:54
and also note to that, that's probably going to come out and expense to give you that type of privilege to just be aware of that as you go through your program
06:03
uh, in managing these relationships with covered entities as it relates to hip hop and, and how can I get copies of the audit report? The blank portal provides independently audited compliance reports, etcetera. So this organization has a portal where they've got, uh, you know, whether it's copies of certifications
06:23
or, or audit reports or agitation documents that can
06:27
validate that they've been audited and that they take security and privacy uh,
06:34
concerns seriously.
06:36
But nevertheless, there's a way to contact them and get that information. So just again, a couple of examples
06:43
with some providers here, as it relates to how information is used uh, using their technology.
06:50
Here's a screenshot from a popular app that's used, um you know, they're, this app doesn't necessarily have identifying information on a lot of their uh documentation, you have to be in the app. So why reason I chose this particular app is
07:09
they did a really good job of
07:11
uh you can see here separating out or indexing uh the their their privacy policy
07:17
and you can look on this on the right side. There was to see for legal reasons and to protect the platform.
07:24
The third book says, enforce our terms of service. Uh you know, they're certainly going to make sure that they can
07:31
um,
07:33
you know, share your personal information in response to a legal legal obligation or if they determine sharing your information is reasonable
07:42
uh and to enforce their terms of service, many users will probably think wait a minute your terms of service could change. So, you know, there there could be a problem here. Well, that's something to talk to your counsel about and whether that's a risk you're willing to take, uh you know, there's certainly a lot of information the news at the time of this recording or certain apps could potentially be banned
08:05
uh in certain countries because that information is being moved across international borders and the terms of service is pretty loose with how that information is going to be used. So it's just important to note when you when you have an app, whether you're developing that or you're using an app that has uh
08:24
access or processing p I that you you look at that closely. I know it's not easy to do, but it's something that you have to have on your radar in connection with sale or merger. We may share your personal information while negotiating or in relation to, uh, change of corporate control, such as restructuring, merger or sale of our assets.
08:46
And I'll be the first to tell you that not all of these opportunities end up with a sailor merger. So, you know what, sometimes it's important to know what happens with that information after it shared,
08:56
you know, is that other organization going to retain it? And how long now if I'm an individual and I reach out to this company and ask the question, uh, they may not tell me or maybe, you know, it's, it's going to be very difficult to find out. However, uh,
09:09
if you're working in a privacy regulated environment that's very heavy, you might have that ability to do so and and then last upon your further direction with your permission or upon your direction, we may disclose your personal information to interact with a third party for other purposes. Uh So they are saying, you know, yes with your permission, you know, we may disclose this,
09:30
but there's certainly some other instances here where, you know, they've given themselves the ability to do that. So that's why reading these is important from a privacy standpoint, especially if it's a risky endeavor for you and your your organization.
09:43
So quick question privacy notices or statements from vendors should include away for a consumer to blank an organization,
09:48
Sue, contact or spam.
09:52
Well, the answer is contact. Hopefully everything you saw here. And if you go to that you are I shared in one of the images. There are ways to contact these organizations and you're certainly following uh, suit with that. So, what we learn in this uh
10:09
this module discuss private examples from several cloud vendors and reviewed a privacy example from a mobile act vendor.
Up Next