How Many Security Breach Notices Have You Gotten? Time Cloud Providers Step Up

I don’t know about you, but I do worry about cybercrime. I just got another notice in the mail from a company saying that they “may have had a security breach.”  The security of CRM or customer data is clearly something that customers care about. It’s become so common that it’s almost not a shocker when I get letters like this. CRM vendors, especially those that put customer records, data and customer analytics in the cloud must step up their security. I was relieved to hear about the independent auditors that verified that Microsoft Azure, Office 365, Microsoft Dynamics CRM Online, and Intune align to ISO/IEC 27018, which provides a uniform, international approach to protecting Personally Identifiable Information (PII) in the cloud.

The company hit other privacy milestones last year, including confirmation from European data protection authorities (Europe tends to have stricter regulations than the US)  that its enterprise cloud contracts are in line with “model clauses” under EU privacy law, and was among the first companies to sign the Student Privacy Pledge. In a blog post by Brad Smith, General Counsel & Executive Vice President, Legal and Corporate Affairs, Microsoft, he said the privacy standard, known as ISO/IEC 27018, was developed by the International Organization for Standardization (ISO) to establish a uniform, international approach to protecting privacy for personal data stored in the cloud.

What does this mean for companies and their customers? Adherence to ISO 27018 assures enterprise customers that customer privacy will be protected in several ways.

  • Companies are in control of their data. If they use the Microsoft products that adhere to ISO 27018, that adherence to the standard ensures that Microsoft only processes personally identifiable information according to the instructions that a company provides to Microsoft. So if you are a Microsoft customer, time to make sure the CRM folks and the IT/ Security folks are having lunch and meetings to discuss, plan and execute on their privacy strategies.
  • Companies know what’s happening with their data. Adherence to the standard ensures transparency about Microsoft’s policies regarding the return, transfer, and deletion of personal information the company stores in the data centers. Microsoft will not only let the company know where their customer’s data is, but if Microsoft works with other companies who need to access your data, Microsoft will let the company know who Microsoft is working with. In addition, if there is unauthorized access to personally identifiable information or processing equipment or facilities resulting in the loss, disclosure or alteration of this information, Microsoft will inform the company of this.
  • Microsoft provides strong security protection for a company’s customer data. Adherence to ISO 27018 provides a number of important security safeguards. It ensures that there are defined restrictions on how Microsoft handle personally identifiable information, including restrictions on its transmission over public networks, storage on transportable media, and proper processes for data recovery and restoration efforts. In addition, the standard ensures that all of the people, including Microsoft’s own employees, who process personally identifiable information must be subject to a confidentiality obligation.
  • Your customer’s data won’t be used for advertising. Enterprise customers have been expressing their concerns about cloud service providers using their data for advertising purposes, especially without consent. The adoption of this standard reaffirms Microsoft’s longstanding commitment not to use enterprise customer data for advertising purposes.
  • Microsoft will inform companies about government access to data. The standard requires that law enforcement requests for disclosure of personally identifiable data must be disclosed to a company as an enterprise customer, unless this disclosure is prohibited by law. Microsoft already adheres to this approach, and the adoption of the standard reinforces this commitment.

So as a consumer, do you feel safer or not? That’s the important thing. It’s a very good step in the right direction for Microsoft and it’s products. Now what to do about those cybercriminals?

@drnatalie

VP and Principal Analyst, Constellation Research

Covering Customer Experiences that Engage, Empower and Ensure High Customer Lifetime Value

 

Share