Tackling International Security and Privacy Compliance

This is the third in a series of Arrayent blog posts on IoT security. The series is written for employees of companies who sell connected products, especially those new to IoT. With this series, we hope to bring a basic level of awareness and understanding of key issues that face everyone who develops connected consumer products. We also hope to stimulate an ongoing dialog that helps move the conversation about connected products security forward.

At Arrayent, we counsel consumer brands that are embarking on a connected product strategy that security cannot be an afterthought because so much is at stake. Whether implementing an IoT strategy internally, or working with an external partner, the brand remains accountable for protecting their customers’ security and privacy. These efforts aren’t only aimed at protecting brand image, they are also targeted at complying with increasingly stringent data privacy and security restrictions around the globe that regulate how corporations protect consumer data—from what it is, to where it will be stored, and who will control access.

With concerns of data security and privacy on the rise, the impact of complying with global regulatory frameworks is greatly magnified. Here is a primer on what you need to know about launching connected products across the globe.

THE EVOLVING EU-U.S. AND SWISS-U.S. PRIVACY SHIELD FRAMEWORKS

The U.S.-EU Privacy Shield Framework was first implemented in July 2016 by the U.S. Department of Commerce and European Commission It provides companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. The Privacy Shield Framework replaced the previous Safe Harbor program. In January 2017, the Swiss Government joined in with the approval of the Swiss-U.S. Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the U.S. The substantive requirements of the EU-U.S. and Swiss-U.S. Privacy Shield are the same.

To join the Privacy Shield program is entirely voluntary. A company publicly commits to comply with the Privacy Shield Principles through self-certification. That commitment is then enforceable under U.S. law by the relevant enforcement authority, either the U.S. Federal Trade Commission (FTC) or the U.S. Department of Transportation (DOT).

AFTER PRIVACY SHIELD COMES THE EU GDPR

More stringent regulations are coming in less than one year’s time through the EU General Data Protection Regulation (GDPR) program, which is set to go into force on May 25, 2018. This will have a significant effect not only for companies in the EU, but any company doing business with the EU that offers goods and services and/or exports personal data to countries outside the EU. Penalties for non-compliance are steep. In the face of Brexit, the UK Government has stated that it will implement an equivalent or alternative legal mechanism.

Privacy Shield vs GDPR

Privacy Shield vs GDPR (Graphic courtesy of TRUSTe)

A recent Cloud Security Alliance (CSA) survey found major concerns around data security and regulatory compliance with the EU GDPR and EU-U.S. Privacy Shield. More than half (54%) of respondents felt their company was insufficiently prepared for these regulations and did not have the ability to meet the GDPR’s compliance deadline next year.

COMPLIANCE ASSISTANCE

As with the EU-U.S. Privacy Shield Framework, privacy management consulting firm TRUSTe has developed comprehensive solutions to help organizations comply with the GDPR. At Arrayent, we participate in the TRUSTe privacy certification program and our services comply with current regulations globally. We strongly advocate that companies seek help from TRUSTe when structuring their own data security and privacy programs. Arrayent will add GDPR compliance when that program becomes active and this will help all Arrayent customers to likewise be compliant as far as their connected product data is concerned.

We advocate getting ahead of global security and privacy compliance initiatives by devoting resources to that effort. By way of example, Arrayent was the first IoT platform to attain EU-U.S. Privacy Shield certification with the U.S. Department of Commerce, and chose to go to the next step and partner with TRUSTe to help ensure we could demonstrate our privacy commitment to users, partners, and regulators. More details on that process are provided here.

CLOUD SECURITY ALLIANCE ASSESSMENT

Another great tool for IoT cloud providers is CSA’s program of assessment. It starts with a Self Assessment that is free and open to all cloud providers and allows them to submit self-assessment reports that document compliance to CSA-published best practices. CSA’s top tier program is a rigorous third-party independent assessment of cloud provider security. CSA’s Security, Trust and Assurance Registry (STAR) is publically accessible and documents the security controls provided by popular cloud computing offerings. This registry is designed for users to be able to assess their cloud providers, security providers and advisory and assessment services firms in order to make the best procurement decisions.

ASSESSING VENDORS THROUGH THIRD-PARTY SECURITY & PRIVACY AUDITS

When evaluating IoT cloud providers, any who have large corporations as customers will most likely have been subjected to frequent privacy and security audits by third-party firms that specialize in this type of work. Asking IoT cloud vendors about the audits they have gone through and the audit results is an excellent way to vet a company that is under consideration for managing your company’s data. Sometimes the audit results are not available for review, that’s when customer reference calls can provide illuminating information.

Whether companies use IoT cloud providers or manage connected product data themselves security and privacy in the age of the IoT must be ‘by design’ and requires rethinking of business as usual. It spans the technical, organizational and cultural aspects of businesses. Legislated compliance regulations will continue to evolve and every company that collects data from connected products—whether alone or with a partner—needs to understand, appreciate, and prepare for that eventuality. For more info, visit: arrayent.com/global-compliance.