Privacy and security are not the same thing. While it is true that security is necessary for privacy, without privacy, security doesn’t really matter.
By the nature of their business, security vendors often have access to a great deal of personal data, including sensitive data belonging to their customers - and often of their customers’ customers as well. Maintaining the confidentiality, integrity, and accessibility of that data is only the beginning. Vendors must take responsibility for ensuring the privacy of personal data they collect and process on behalf of their customers.
The vast majority of individuals are unaware of all of the activities that may impact their privacy, or the potential ramifications such activities may have on their life and well-being. Organizations similarly may not fully understand the potential impact a vendor’s handling of personal or sensitive data may have on their own risk profile without a great deal of diligence.
Even with complete transparency and full disclosure, the reality is there is just too much information to deal with, and it requires a concerted effort on the part of all involved to ensure privacy remains a priority. The intertwined systems of information collection and processing are far too complex for any single individual or organization to address alone, and even the most sophisticated individuals and organizations may fall prey to irrational privacy valuations and discount future risks for immediate rewards.
The following should be considered basic tenets for every service provider, and especially information security vendors.
Ten Privacy Principles for Vendors
- Be Accountable: Vendors must be responsible stewards of the personal data they manage on behalf of all individuals and organizations who share data with the vendor. It should always be their goal to ensure personal and sensitive data are always processed in a fair and lawful manner.
- Have Privacy by Design: Vendors should seek to embed privacy into their business processes, products, and services by proactively identifying and addressing privacy risk early in the lifecycle of new projects in order to safeguard personal data entrusted to them.
- Have Purpose and Use Limitations: Vendors should always limit the collection and use of personal data to specific purposes. They should not use personal data in any way that is incompatible with the purpose for which it was collected.
- Provide Transparency: Vendors should always provide clear descriptions of their policies and practices that collect, process, transfer, and disclose personal data.
- Offer a Choice: Where possible, vendors should always describe the choices available and allow individuals and organizations to make informed decisions about the personal data they share with them.
- Practice Data Minimization: Vendors should always strive to collect the least amount of personal data necessary for the purpose communicated.
- Adhere to the Security Triad (Confidentiality, Integrity, and Access): Security is an absolute necessity. Vendors must always protect personal data from unauthorized access throughout the data lifecycle with security safeguards that are appropriate for the sensitivity of that data. Personal data should be accurate and kept up-to-date. Where feasible, vendors should allow individuals and organizations to have access to the information collected about them to review and update.
- Visibility in Transfer: Vendors should only transfer personal data to authorized third-parties after informing users, and only for purposes that have been communicated or are compatible with the initial collection.
- Have Storage Limitations: Vendors should retain personal data for the minimum amount of time required to complete the purpose for which it was collected, or as required by law. After the purpose has been fulfilled, they should responsibly remove it in a timely manner.
- Customers First. The welfare of customers should come first. Vendors should always be focused on maintaining the security and privacy of their customers’ data.
Information security vendors are entrusted with safeguarding the information systems and data of their customers. While it is a given that information security vendors provide security, they must also provide privacy, otherwise the value of any security they provide is significantly reduced and its purpose materially undermined.
At BlackBerry® Cylance®, we have designed our products and services to offer our customers a granular level of control regarding data collection for forensic examination. We go to great lengths to ensure privacy-by-design not only in the architecture of our endpoint agent, but also in our products’ cloud-based control consoles, and we never treat our customers’ data as something to be profited from.
Trust is paramount for BlackBerry Cylance, and we will continue our legacy of earned trust in how we approach the security and privacy of our valued customers. If your security vendor does not respect your privacy in the manner that they treat your sensitive data, you should find a new security vendor.