For years, the carriers have rejected commitments related to the security of customers’ voice and data communications traversing their networks. This entry focuses on how this position undermines the carriers’ interests in offering or partnering in the provision of data center and cloud computing services in which carriers must compete with established players or tech-savvy start-ups that understand data security is central to the value of these non-transport offerings.
Carriers’ Longstanding Positions on Customer Data. The carriers have systematically rejected responsibility for customer data in connection with their transport services, maintaining customers can address these concerns by encrypting their communications. In regard to toll fraud, the carriers’ persistent position is that toll fraud is the customer’s problem. On customer proprietary network information, the carriers strive to extract the customer’s consent allowing the carrier to share CPNI with affiliates and agents and require the customer to affirmatively revoke the consent after contract signing, contrary to the spirit and intent of 47 USC § 222. The confidentiality provision in carrier agreements exists principally to limit disclosure of the terms and conditions in the agreement.
The Challenge for Carriers in Non-Transport Services. This aversion to reasonable commitments regarding the integrity of customer communications is a challenge for carriers looking to upsell firewall, intrusion detection and other network security offerings and data center and cloud computing services for which customer data and network security are paramount concerns. The carriers’ longstanding position on customer data security is not responsive in the current legal environment in which enterprises find themselves. Companies must comply with state laws and foreign directives on data privacy and breach notification obligations, industry-specific laws and regulations, such as the HIPPA Privacy, Security and Breach Notification rules, and industry-specific standards, such as the Payment Card Industry standards (collectively referred to as “Data Privacy Laws and Standards”).
The value proposition for data center services requires providers to assume control and responsibility for the integrity and security of their data center operations. Specific provisions obligating the site operator to deploy fire suppression technologies, electrical power back-up systems, physically diverse paths for connectivity to and from the facility, temperature controls and physical security are standard provisions. If the operation of the data center implicates customers’ obligations under Data Privacy Laws and Standards, the customer reasonably expects the data center provider to indemnify the customer for the costs, expenses and fines triggered by the services providers’ actions. Similarly, customers reasonably expect that their data reside in designated data centers and not re-located or transferred to physical facilities in other areas that trigger additional obligations under Data Privacy Laws and Standards.
These and related considerations over the loss of trade secrets and proprietary information are even more compelling in connection with cloud computing services. Customers reasonably expect that providers of network security services and data center and cloud computing services will conduct SOC 2 and SOC 3 reviews and even share the results of the service organization’s SOC 3 audits.
The major so-called “public cloud providers” may well resist provisions on data privacy and security, maintaining their offerings are highly standardized and available only under standard terms and conditions. On the other hand, other cloud services providers including those partnering with the major carriers are among those expected to respond in a reasonable fashion to the data security interests of enterprise customers. Telecommunications carriers would be well-served to abandon their intransience regarding customer expectations on data security and integrity if they expect to compete in the rapidly growing markets for these services.