Data Handoff_

Scott Derby, information security officer for the New York State Office of Mental Health, is mulling the ASP model. But he's afraid that patient data could end up in the wrong hands.

Data security concerns, too, tarnish ASPs' allure for government clients of PricewaterhouseCoopers, says Barbara Duffy, a PWC consultant. "Think of the commercial windfall if any of these [hosting] companies started selling social services data or any other government agencies' data," Duffy says. "It's unacceptable, but it could happen."

And indeed it is.

Pradeep Singh, a principal at Management Information & Technology Consultants, New York, found that of 30 application hosting providers he investigated, 30 percent were selling their customers' data.

Singh uncovered the data pilfering while conducting background checks on hosting providers on behalf of his clients. He used a method called "seeding," in which he fed the hosting companies false information. If he started receiving mail under those false names, he knew they were selling their customers' data.

"What is most disturbing is that the hosting companies all had privacy policies in place that they were violating," Singh says.

The would-be gatherers of the stolen data aren't always advertising agencies or marketing firms, either. One ASP executive says software vendors ask him to host their applications for vertical market customers so they can mine the customers' databases.

The vendors want to act as a purchasing agent between the members of those vertical markets, enabling them to sift through the members' databases for information to cross-sell between the member companies.

"If the customers agree, it could be great. That is a big if," says the ASP executive, who asked not to be named. "I think most companies, however, don't want anyone mining their data."

TIPS FOR PROTECTING DATA_

APPLICATION HOSTING PROVIDERS_ Consider working with a lawyer or auditing firm when writing a privacy contract. Limit staff access to data and set up multiple levels of security. Require employees to sign a statement that they will abide by security and privacy policies. Separate the data ceter from corporate offices. Have one-door access to the data-center. Install security cameras in the data center. CUSTOMERS_ Examine a privacy policy's wording to understand what constitutes a sale or transfer of data. Keep the "what-ifs" in mind: What happens to the data if providers go bust or are acquired. Do a background check on the provider and check references. Look for seals of approval

Jim Stern, president of Internet Marketing Strategy Consulting, Santa Barbara, Calif., says he is approached all the time by companies interested in selling him data. But his company conducts a background check to ensure that the data was gathered with the customer's permission. Stern says, however, that he has yet to be approached by an ASP.

Selling customer data is taboo for most ASPs, whose executives cringe at the prospect and chalk it up to a few bad apples that will soon be out of business.

"If it is happening, it could have terrible implications on the rest of the industry. But I think most ASPs view their customers' data as their sacred asset and would never consider selling it," says John McGrory, CEO of Applicast, Menlo Park, Calif. Like many other ASP executives, McGrory recommends binding an ASP to its privacy policy by including it in the service contract.

"Prevent your data from being sold up front by making them sign a contract that says they can't sell it. And make sure you take a close look at the wording to see what constitutes a sale or transfer of data," says Mark Rash, vice president of cyberlaw for Global Integrity, an arm of SAIC (Science Applications International Corp.) that tests IT services companies' security and data protection measures.

What if the hosting provider goes out of business? Is it permissible to sell its customers' information as an asset (as online retailer Toysmart.com tried before being rebuffed by the Federal Trade Commission)? Or what if the ASP is acquired? Will the acquirer stick to the same privacy agreement? An ASP should be able to answer all of these questions.

Companies hosting data also should take measures to prevent internal and external "marauders" from gaining access to customer information, experts say.

Many ASPs, for example, check the backgrounds of the data center staff and restrict their access to data. Often, the customer,not the ASP,chooses who gets access, says Mitchell Hryckowian, senior director of security and infrastructure at Interliant, Purchase, N.Y.

Another safeguard is making data center employees pass through several security levels, including physical security guards, key-card door access and even biometric hand scans. A common mistake made by ASPs is housing the data center in the same facility as a corporate office, says Singh.

"It's too easy to say, 'I work with the company,' flash an ID and walk right in," Singh says. He adds that he's been able to bypass external data center security measures by pretending to be a member of a nightly cleaning crew and by simply telling a security guard that he was with a group already in the building.

To test an ASP's privacy policy and security measures, customers should hire an outside auditing firm, many industry watchdogs say. Privacy group TrustE, for example, uses seeding to make sure that companies live up to their privacy policies. Global Integrity probes hosting providers' networks to find out if it can bypass their security schemes.

"We are audited all the time and should be," says Jonathan Rodin, vice president of technical architecture at Navisite, an Andover, Mass., hosting provider. "Customers should test an ASP's security measures up front and use an auditing firm to test them on an ongoing basis."

Some ASPs are even getting in on the auditing act. Breakaway Solutions, for instance, recently formed its own managed security practice. The Boston-based e-business integrator and ASP conducts security audits, builds security architectures and performs ongoing security breach tests for customers.

Another data safety avenue for ASPs are seals of approval from such organizations as the Better Business Bureau and TrustE. TrustE, San Jose, Calif., gives out privacy seals of approval, called "trustmarks," to Web sites. It's also considering expanding the program to include software companies, says Dave Steer, director of communications at TrustE. To get a privacy seal of approval, software companies have to disclose their data gathering and dissemination practices, he says.

And that might become more common. ASP clients are sharpening their scrutiny of data privacy, says Rick Swanson, CEO of ASP FreeMe.com, Austin, Texas. "Customers of ASPs are taking a long look at privacy policies," Swanson says. "And the ones we've come across won't work with ASPs that don't have a solid one in place."

Paula Rooney contributed to this story.