FCC privacy ruling could leave enterprises’ data vulnerable

I took a new job late last year. Now, instead of consulting with a lot of companies, I have full-time CISO responsibility for just one. Ownership of enterprise security means experiencing strategy differently than when I was a consultant, sometimes with humbling results.

A strange physics is at work, where grand theories of frameworks and best practices can break down at the quantum level of daily operations. It forces you to look differently at things sometimes, especially strategy.

One chance to think differently came over the past week as I read about President Trump’s repeal of new FCC rules that would have restricted how ISPs can use consumer data. The case has reminded people of the detailed data trail everyone leaves online, telling who we are, where we go, and what we do. This data can be captured and monitored, analyzed and packaged. It’s worth money. And the concern is that everyone from marketers to cyber criminals is interested in getting their hands on it. The FCC rules were intended to give people more control, but now they’re dead – hence the controversy.

Do companies have “personal privacy”?

My first reaction, like many, was that of an individual consumer concerned about my personal privacy. But then the CISO in me started asking, what does this mean for a company like mine or like the many others that depend on these infrastructures and services? Corporations can be consumers too, and are even considered “people” under certain circumstances.

It got me thinking. We’re a smaller company, a startup in the healthtech space. We have many mobile workers, and we use a lot of cloud-based IT services. When my users go online at a coffee shop or a hotel, they are leaving the same digital evidence they do as consumers, but now they are doing it from company devices on company business (with personal use thrown into the mix as well). Their individual work habits, taken together, amount to my company’s personal information and behaviors online. All of that data could be available to internet companies and ISPs. 

I felt paranoia set in, and not for some Snowden-esque state sponsored spying (although that also worries me). It was more banal. If there is a market for an individual’s online behavior, I’m sure there’s a market for the collective online habits of my company’s employees. Competitors, recruiters, and vendors might all be interested in what my colleagues are doing, saying, and viewing on the net.

Personal privacy violations are often described as creepy. What about when it comes to a company’s personal privacy? Is that even a thing? Well, interestingly enough, at least one ISP has argued that it is, and in front of the Supreme Court. 

The justices said no, but only when it involved the Freedom of Information Act. I’m more worried about corporate espionage. My team’s online behavior, from the services and devices we use to our overall company culture, are enterprise data and corporate property. I don’t like the idea of someone else getting them. Especially not when they have business value I’m losing out on.

I would resent handing that value over to another party as a side effect of our paying for the privilege of using their pipes or their services. That feels like double dipping. But in researching this post, I discovered precious little that reassured me it could not happen or is not happening. The whole thing feels enterprise-level creepy.

Unsplash

Naturally, this led me to think about what my company, or any company, can do to avoid having its data tracked, packaged, and sold. It’s a tough problem, but three initial ideas emerged from the media debate that accompanied the repeal of the FCC rules.

Understand your agreements

The first task is to get a grip on the privacy agreements companies have in place with their providers and vendors that have access to users’ data. It’s pretty clear that my provider can’t sell my documents and files, but can they collect and sell the fact that we standardize on MS Word or Google Docs to write those documents? What happens if we don’t have an agreement with a provider? Are we then just another consumer, and our corporate data fair game for collection?

Re(think) VPNs

VPN providers have been enjoying a flood of media reporting in the wake of the repeal. Analysis of the value of VPNs range from must have one to maybe to skepticism. Many companies already use VPNs widely to meet remote access needs, but they’re often thought of as a “work” thing by users. While understanding that VPNs are not a silver bullet, I’m encouraging our employees to use them more generally, every time they connect to any network.

Educate people and build awareness

Peoples’ behaviors are necessarily at the heart of behavioral surveillance. Many users worry about personal privacy, and my job is to cultivate an equal concern for our corporate privacy. It’s not just about attackers getting in, but about what information we’re letting get out. I need my users to practice situational awareness, at work and at play, and to understand that someone is always trying to watch what they’re doing. User education also happens to align with my values of people-centric security, where you always treat your users, your people, as part of the solution rather than part of the problem.

The effects of the FCC rules repeal may turn out to be overhyped. Or the repeal might mean everything its detractors fear. But as a security owner responsible for imagining all the risks to my organization, the past week made me consider the problem from another perspective.

Don’t keep your comments private, add them to our Facebook page.