Provider Bill of Rights: Have Your Mission Critical B2B Data Stay Confidential (If You Want It To) Pierre Mitchell - October 29, 2013 7:18 AM | Categories: Procurement Commentary | Tags: Incendiary Tidbits, L1 In our last Procurement Bill of Rights post on data security, we repeatedly touched on the related issue of data security and confidentiality. These two go hand-in-hand, especially in the context of an electronic business network. For example, if a competitor wanted to access your corporate assets, the easiest way besides paying off an insider is to use phishing attacks to gain corporate access, and it’d be fairly easy to use such trading networks to emulate supplier and buyer communiqués to each other to do just that. We won’t lay out all the potential scenarios, but there are many, and we’ll focus more on the confidentiality issue… Not to pick on Ariba, but it’s disconcerting to listen to their senior executives touting the Ariba network as the B2B equivalent of Facebook. Why? Because as a potential buyer on Facebook, you don’t buy a product from Facebook. Rather, you ARE the product to package up to the suppliers who pay to get access to you. In a B2B context though, buyers are a little more concerned with data privacy than consumers who accept their fate of ignoring seller ads in exchange for free access to the network (although the privacy backlash has hit B2C too with a slew of firms such as Path, Circle, etc.). It’s not so much about masking your firm as a buyer. If you register at B2B networks with free supplier discovery functionality such as Discovery.Ariba.Com, MFG.com, ThomasNet.com, etc., you need to expect that you’re going to be visible at some level to suppliers – beyond just the RFQs that you may or may not post. For example, I had a client who had a private tender that went out as a public tender on one of these networks (starts with an “A”), but that ‘undocumented feature’ has since been fixed. The bigger problem has to do with confidentiality about who you currently do business with, what you are buying from them, where they are located, how much you are paying them, at what terms, etc. This is where you need to be aware of the hidden dangers of using a public cloud-based business network for conducting what you hope will be private B2B commerce. If such a network offers SaaS-based applications, then you would expect those applications to be served up as a secure and confidential application service. In the SaaS world, a basic right is that the provider owns the code and you own your own data. Simple, right? But when the application service becomes a “network service,” that’s when Procurement right #1 gets violated. So, you have to be vigilant regarding your SaaS contracts. In fact, you might feel that you are well covered, but you should take an inventory of your SaaS contracts and see what they actually spell out. If the contract is ‘silent’ on data confidentiality, generally, the provider can do what they want with the data, especially in seemingly harmlessly aggregating data in a ‘blinded’ fashion. We asked one of our expert network contacts Jeff Gordon to chime in the topic and he recommended the following methodology: Without looking at your contracts, ask yourself to what extent you BELIEVE that your cloud suppliers are able to do with your data – using the belief statements below. Then, go find the top 5-10 contracts with your most valuable data (however defined) and assess what the CONTRACT actually and clearly says the suppliers CAN'T do with their data. I believe my contract rests 100% of the ownership of my data in me or my firm. I believe my contract restricts access to my data to my employees. I believe my contract contains penalties for ANY unauthorized access to my data by people other than those to whom I've given a username and password. I believe my contract prevents the cloud provider from giving and/or selling my data to a third party. I believe my contract prevents the cloud provider from giving and/or selling aggregate data (anonymized or not), to which my data is included, to a third party. I believe my contract requires the cloud provider to automatically send me a usable copy of my data at no additional charge or fee at the end of the contract term. I believe my contract clearly states that my data is in a shared (or segmented) environment, only separated by soft security measures, such as passwords. Stay tuned as we discuss this topic further! Discuss this: Cancel reply Your email address will not be published. Required fields are marked *Comment Name * Email * Website Notify me of follow-up comments by email. Notify me of new posts by email.