Don’t Trust Your Data to Just Anyone

At a time when we are all too quick to click “Agree” and share our data in exchange for access to the latest cool app (or a coupon for 10% off your next purchase), it may be time to paraphrase Bo Diddley and ask a new question: “Who Do You Trust?” What do we share when we click “Agree?” Sometimes it’s just our email address, other times it’s access to our list of Twitter or Facebook contacts. But how quickly should you and your company “Agree” when access to your software license compliance data is concerned?How do you ensure data privacy? Who do you trust?

What are we talking about when we talk about “compliance data?” It can range from entitlement data in your CRM or licensing system to actual infringing usage data and analytics from solutions like Compliance Intelligence. It can be a profile based on behavior, and it can be forensic evidence of software piracy or overuse. Regardless of its composition, there are significant questions around trust that you and your company need to consider. This is data about your customers and users of your applications. You need to ensure that this sensitive data is “in the right hands” whether it is being used inside or outside of your organization.

Collecting compliance data

To accurately match software usage to an organization, software vendors are capturing a wide range of data:

  • Machine-level, user, time zone, and organizational IP address data
  • Country of origin
  • Company domain-level data
  • Environment information to help investigators count unique machines
  • Data on the amount of infringement or usage activity over time
  • The number of unique users using the software on each machine
  • OS platform information
  • Geolocation data to determine exactly where the infringing use is occurring

When collecting data like this, you need to be able to trust that your solution has granular policy management that supports the collection and storage of license infringement data to address data privacy and protection regulations. Ask whether it can redirect or hash data that is being collected based on the location of the machine and the vendor’s specific data collection policies. It is also important to know whether your policy management can be updated without changes to the code after their application is released (i.e., as you make changes to your privacy policy due to regulations or other factors, does your solution enable you to update your collection and data processing workflow, or does it require you to update the code and issue a patch that may not be applied by all users?).

Who manages your compliance data?

You also need to trust your solution and services partners themselves. Do they have a clearly articulated privacy policy? Has it certified its data privacy and  management practices with organizations like TRUSTe and frameworks like Privacy Shield? You also need to ask specific questions about the partners themselves:

  • How long has the partner been providing its solution and services?
  • Where is it incorporated? What do the legal and regulatory frameworks look like there?
  • What is its track record with other customers? In your industry? Is it stable financially?

Where is your compliance data stored?

Given the sensitivity of infringement data, security and privacy are crucial. Vendors that have attempted to build their own compliance intelligence solutions have found these issues especially challenging. When choosing a partner, vendors need to look closely at where the compliance data is stored and the robustness and security of the platform. Is it a proprietary solution with a small number of subscribers that has not undergone real world testing, or is it built on industry standard platforms like Salesforce.com with millions of subscribers and significant resources to ensure its integrity? What uptime commitments are offered? What are the backup and security options? If you prefer to host gateway servers yourself, what management tools are available? Are they easy to use, and well-documented?

Who can access your compliance data?

Your compliance intelligence solution should also incorporate strict granular limits on who can see data and perform analyses, protected by well-tested, up-to-date security. Role-based access is especially important when working with a compliance partner that will be acting on your data. In addition to the organizational trust considerations mentioned above, you should also make sure that your solution ensures that your partner can only see the data it needs to do its job. Beyond geographic and account limitations, you should also be able to restrict access to just the aggregate data that is required – very few compliance partners need access to all of the underlying infringement data specific to an account.

With great data, comes great responsibility

As long as I’m re-purposing classic quotes, I think it is fitting to end with this one. Data privacy and regulation is a hot button issue for good reason: data is power, and with access to powerful data comes a great responsibility to collect, store, manage, and share it wisely. Trusting your compliance solutions and service providers is crucial and should not automatically be given because they offer “10% off your next purchase.” Who do you trust?

Leave a Reply

Your email address will not be published. Required fields are marked *