Cloud Eush Wp Final

7/28/2019 Cloud Eush Wp Final

http://slidepdf.com/reader/full/cloud-eush-wp-final 1/9

TRUSTe WHITEPAPER

Joining the Global

TRUSTed Cloud

TRUSTe Inc.

US: 1-888-878-7830

EU: +44 (0) 203 626 0109

www.truste.com



TRUSTe WHITEPAPER: Joining the Global Cloud 2

Joining the Global TRUSTed Cloud

IBM began the centralized hosting of business applications as early as the 1960s, but not

until the 21st century did Internet-enabled “cloud computing” fully take off and produce

multi-billion dollar business segments that some analysts predict will eclipse $20 billion

by 2015. Professionals now commonly refer to “software as a service” (SaaS), in everyday

conversations. The Cloud has become such a relevant, important feature of modern business

because it brings undeniable efciencies, improvements in levels of service, and cost

savings to organizations that rely on it. However, it is a dramatic, complex new landscape

of expectations, interaction, and potential pitfalls on a global scale into which no one should

tread without careful consideration.

If you are a SaaS provider or incorporating such services into your own business, relying

on the Cloud means needing to pay special attention to how it works in order to meet your

professional obligations and protect your brand.

This white paper will allow you to become more adept at recognizing where customer

expectations about privacy and compliance with national and international policy including

the EU Safe Harbor framework meet. See gure 1 below:

Pitfalls of Data Collection and Data Processing

Data is now the primary driver for business intelligence and competitive advantages, but

personally identiable information (PII) in this mix of big data can put you at great risk if you

or your vendor partners do not secure it properly as a function of collecting or processing

it. The number of incidents and frequency of PII being compromised due to poor security or

inadvertent mishandling issues are on the rise. Forrester in their October 2012 report titled

“identify and inuence data security and privacy stakeholders” highlighted 924 condence-

shattering cyber events in the rst eight months of 2012 alone.

BUSINESS

NEEDS

We are here.

COMPLIANCE PRODUCTIVITYPRIVACY

WEB

E-MAIL

MOBILE

FIGURE 1




If you are inherently condent that any PII your service is handling, “will probably be ne,”

it very likely will not be. You are likely vulnerable in some, even small way, to attacks from

outside of your organization. And, if your service was not built originally on a pervasive

Privacy by Design* strategy, then you may also have dangerous internal vulnerabilities.

For more information on Privacy-by-Design and its creator Dr. Ann Cavoukian, visit

http://www.privacybydesign.ca

It is a common misperception that external threats from nefarious entities are at the heart of

data-centric ascos and embarrassments. These are not the only problems that organizations

face when their policies and practices are not designed properly to respect PII.

In the following diagram you’ll recognize the brands of many, very different US national and

international businesses. They each have different business models and customer bases, but

do collect PII and analyze their customers’ preferences. In the end, business decisions all

revolve around data, and in these examples there was no external threat.

January February March April May June July AugustJanuary February March April May June July August

Zappos: 24 million records

YouPorn: 1.4 million records

Gamigo: 8.2 million records

Global Payments:

7 million records

CA Dept. of Social

Services:

701,000 records

Texas Secretary of State: 6.5 million records

LinkedIn: 6.5 million records

Elections Ontario:

4 million records

Yahoo:

453,492 records

Shanghai Roadway D&B Marketing Sevices: 150 million records

eHarmony:

1.5 million

records

Formspring:

28 million records

EPA:

8,000

records

2011: January - August

924 cyberevents

264 million records!

FIGURE 2




Again, whether you are the data collector who was originally trusted to collect someone’s PII

or the processor to whom it was passed for analysis, safekeeping, or other processing, you are

at risk of committing data mismanagement. This could cost you customer trust, damage your

brand, and expose you to lawsuits, regulatory nes, and multi-decade invasive audits.

Layering on International Concerns

If your organization has over 200 employees, your business is likely crossing oceans, in terms

of partner and vendor relationships as well as data. Abroad, especially in the European Union,

laws governing PII are even more restrictive than those in the United States. Even as long

ago as July of 2000 Microsoft was convicted of personal data mishandling of its employees

in Spain. Microsoft was originally ned the equivalent of roughly USD 250,000. Since then,

European law has continued to evolve, producing policies like the EU Cookie Directive which

governs how businesses are allowed to access and store data on a EU citizens’ devices.

Recent activity by the Article 29 Working Committee in the EU points towards a trend of

increasingly complex regulation over the next three to ve years.

Until now the safest solution for most US organizations to engage in European-related

business has been by complying with the US-EU Safe Harbor Framework (EUSH). In October

of 1998 the European Commission’s 1995 Directive on Data Protection took effect in the

interest of protecting the personal information of European citizens. The Directive prohibits

the transfer of personal data to non-European Union countries that do not meet the EU

2011

Apple and Google

weather “location gate”

privacy scandal over

their mobie devices.

Apple changes collection

practices in response.

2011

Playdom fined $3 million

for violating children’s

online privacy.

2011

Broken Thumbs Apps

settles FTC charges that

it violated children’sprivacy law – company

is fined and forced to

destroy the data.

2011

Netflix faces multiple

privacy lawsuits over

its data storage

practices.

2011

Acquisition of Borders

delayed due to questions

over privacy rights of

46M email subscribers.

2011

OnStar forced to reverse

location tracking policy

following privacy outcry.

2012

Path social network

app accesses

address books withoutpermission.

2011

nebuAd settles $2.4

million privacy lawsuit

over behavioraltargeting practices.

FIGURE 3




adequacy standard for privacy protection. In general the United States’ approach to privacy

protection is deemed inadequate by these European standards. Without some collaboration

between US and EU authorities the late 90’s Directive could have become a signicant

hindrance to trans-Atlantic transactions and trade.

In 2000 the EU Data Protection Authorities approved the US–EU Safe Harbor Framework. This

mechanism allows US companies to self-certify annually via the US Department of Commerce

that their data-handling is in fact adequate to meet European standards for data transfers from

the EU to the United States. It was conceived as the most broad and efcient way to lubricate

commerce across the Atlantic with the least amount of burden on individual organizations.

Even with the decade+ history of EUSH, things have been changing in European law and it is

likely to evolve over the course of 2014 through 2016 . Additionally, Switzerland has its own,

separate framework agreement with the United States. If you are subject to oversight by the FTC

and DOT due to the international reach of your business, this is an evolving policy area that you

must not ignore.

No Islands in the Cloud

It is virtually impossible to be an island in the Cloud in today’s big-data enabled interaction

paradigm. Every entity that historically may have been separate and self-contained is

rapidly becoming a mere node in a vast network of processing applications, interconnected

databases and their front-end interfaces. Violations can happen as data, including PII,

is passed around from department to department, even internally. But as a responsible

organizational leader, it is mandatory to recognize that even data passing internally to an

ofce abroad warrants stringent data processing requirements.

The situation increases in complexity when you are engaging and collaborating with other

SaaS companies to provide Cloud-enabled infrastructure and service to clients. Contracts mustbe in place to properly protect PII in a networked ecosystem and failure at any node, yours

or another’s whom you are trusting, could end up turning your brand into a privacy violation

statistic.






Beyond North America and Europe

If your data ows involve complexities like European PII owing to Latin America or Asia,

you may need TRUSTe’s additional counsel on nding the right legal support for setting

up Binding Corporate Rules (BCRs) or implementing Model Contracts. The need for these

scenarios is claried as a standard function of the TRUSTed Cloud consultation process.

Dispute Resolution Support

Even when you’ve made concerted attempts to cover every base, problems anddisagreements invariably arise. As a member of the TRUSTed Cloud, TRUSTe will be there to

help you avoid the pain and expense of full on, reputation-damaging domestic or international

law suits.

The Perks of Pervasive Trust

Under the TRUSTed Cloud umbrella you’ll be able to rest assured that:

• Your customers will trust that you respect them and their privacy.

• You’ll need not fear that you are out of compliance.

• You’ll know that your divisions are maximally productive in their initiatives that involve PII.

HEADQUARTERS

CORPORATE

UARTERS

ORATE

Contract

Vendor’s

Partner

LOCATIONPHONE NUMBER

NAME

HEAD

CO

Q

PRIVACYPOLICY

SaaS

VendorVendor’s Partner

SaaS

Vendor

Vendor’s

Partner

FIGURE 5




TRUSTe professionals will assure that you’re in the best shape possible on all of these varied

fronts and will provide you with extensive documentation and support in this process:

Most importantly, you’ll know that with TRUSTed Cloud certication your internal policies and

practices are optimized across this matrix of business needs.

This all inevitably leads to:• Accelerated sales cycles

• More contract renewals

• More deals ultimately closed

TRUSTed

Cloud Seal

Assessment of

your Data

Privacy Practices

PRIVACY ANALYSIS REPORT:

Gaps in Practice

& Controls

Updated

Privacy Policy

Dispute Resolution

Service

Dedicated Account

Management

Letter of

Certification

BUSINESS

NEEDS

You are safely

at the forefront

in the Cloud.

COMPLIANCE PRODUCTIVITYPRIVACY

WEB

E-MAIL

MOBILE

FIGURE 6

FIGURE 7




US: 1-888-878-7830 | EU: +44 (0) 203 626 0109 | www.truste.com © 2012 All Rights Reserved

Thousands of Organizations Rely on TRUSTe’s Expertise

As a prime example of what TRUSTe has done for clients across the globe, let’s hear what

David Fowler the CPO of Marketsh feels about relying on the Cloud for their success.

Marketsh is the only fully automated, cloud-based lead generation platform that offers free

access to an online marketplace for e-mail, postal lists, and the ability to build and execute

marketing campaigns in under 30 minutes.

Over 15 Years of Getting it Right

Dave knows as an executive relying on the Cloud for is core business model that with

guidance from and certication by TRUSTe, he’s in great hands in terms of meeting

customers’ and regulators privacy and security expectations all over the planet.

About TRUSTe

As a leading provider of data privacy solutions and certication services for over 15 years,

small and large enterprises alike have come to rely on TRUSTe to assist in designing and

implementing comprehensive data privacy strategies. TRUSTe fully understands the

complexities of privacy and security as they relate to business in the Cloud. We invite small

to large enterprises to allow TRUSTe help you, protect your assets and garner consumer trust

with the TRUSTed Cloud.

TRUSTe is the leading global data and privacy solutions provider. TRUSTe offers a broad

suite of solutions that enable multinational companies to safely and efciently handle the

customer data powering their online businesses, including advertising, cloud services, mobile

applications, and websites. Over 5,000 web properties from top companies like Apple, Disney,

eBay, Forbes, HP, and Microsoft rely on TRUSTe to ensure compliance with evolving and

complex international privacy requirements. TRUSTe’s mission, based on a “Truth in Privacy”

framework, is built on a solid foundation of transparency, choice and accountability regarding

the collection and use of personal information. TRUSTe’s privacy seal is recognized and

trusted by millions of consumers worldwide as a sign of responsible privacy practices. For

additional information on TRUSTe and its offerings, please visit http://www.truste.com.

Footnote: For more information on Privacy-by-Design and its creator Dr. Ann Cavoukian, visit http://www.privacybydesign.ca

“At rst when we looked at this in terms of Marketsh’s roadmap, our rst strategic

decision was to enlist the help of TRUSTe. I personally and professionally have

followed and worked closely with TRUSTe since 2004 so this decision really wasn’t a

difcult one because I know that their solutions would solve my business challenge

and I’ve seen that in the past. TRUSTe have great products and services and good

peeps that solve complex issues in a timely fashion and support the solutions that

increase ROI. In fact, as the digital marketplace has developed and become more

complex to navigate, I would suggest that in 2013 and beyond if you are operating on

the Internet you can not afford not to have certication.”

Documents

Cloud Eush Wp Final