The news media and Internet have been sizzling ever since last week’s revelation by The Guardian and The Washington Post that the U.S. National Security Agency (NSA) has been tracking data from many U.S. phone calls as well as much of the world’s Internet traffic.
Amid retractions, corrections, denials, international concern, non-comments, and accusations galore, parsing through the implications of what exactly has been going on in both the secretive Foreign Intelligence Surveillance Act (FISA) court system and the NSA’s “PRISM” program is an important and ongoing conversation for civil society.
For businesses, data vulnerabilities — whether via government security programs or corporate espionage by foreign nations — are a real and constant threat. But what’s to be done?
You could reject the cloud, unplug your computers, cancel your phone lines, and insist on only meeting people face-to-face in secure facilities. For the more practical among us, instead it makes more sense to simply take a few moments to consider in a very realistic way how government spying impacts your competitive position, and what new liabilities these revelations introduce for your business.
How it works
The technical specifics of the PRISM program have not yet been fully revealed. What is clear is that over the last few years 9 major consumer Internet companies (including Facebook, Microsoft, and Google) have begun, either willingly or via court order, to provide user data to American security officials.
The fact that PRISM is a U.S. government program is significant. Over 85 percent of worldwide Internet traffic flows through the United States. Efforts over the last few years to decouple global Internet administration (including the Internet Corporation for Assigned Names and Numbers, or ICANN) from affiliations with the U.S. government, and reassign them to United Nations management, have failed.
So corporate compliance, technical abilities, and budget allocations aside, the United States is the one and only country that hosts so much of the Internet’s infrastructure that it can collect meaningful data on a truly global scale. In short, you can’t avoid it.
Your competitive position
The question now becomes how government surveillance programs impact your competitive position. And the news here is good.
When it comes to HR data, there’s nothing that government security services don’t already know and would care to know, which could also put you at a competitive disadvantage.
Is the government reading your email to learn more about some potential security threat? Maybe. Will they be forwarding your emails to the CEO of your top competitor? Of course not.
This is not to undermine the threat of corporate espionage. Just because the NSA doesn’t care about you compensation programs, your top performers, your applicant pool, or your policies and procedures, it doesn’t mean your competitors don’t.
That’s one reason why it’s so important to make sure that the HR systems you choose are following security best practices — data encryption, secure sessions, separate databases, certified data centers, etc.
Your liabilities
The other reason to ensure your systems are secure is to minimize your liabilities. When security flaws introduced by a vendor or government interference puts your data at risk, it distracts from your core business purpose, and your employees or partners may even come looking for compensation (such as in the case of identify theft or broken non-disclosure agreements).
Fortunately, once again PRISM does not introduce a significant risk in this case, for three different reasons:
- Few of the known participant organizations are major business service providers. Skype and Google are affected, but no major server farm or B2B SaaS system appears to be involved.
- Your business isn’t knowingly, deliberately, or even negligently compromising this information. No court could find you liable for the world’s most powerful intelligence administration managing to gain access to vital data.
- There isn’t an environment of litigation around employee data. And when it’s compared to something like online piracy, where there’s also a very large and very well funded lobbying effort, it doesn’t look like such an environment is likely to arise any time soon either.
Allegations of widespread and possibly even illegal government surveillance are extremely serious and merit careful attention. Businesses can take a leading roll in pushing for reform, improving security, and spreading awareness.
In the case of data risk and privacy loss, however, PRISM is no big change. Your board of directors can sleep easy.