Prism revelations 'will affect businesses'

Customers likely to become more wary about giving up personal information

The scandal surrounding the National Security Agency's Prism data-gathering programme will impact all businesses that rely heavily on the processing and analysis of customer information, according to experts.

Technology giants including Apple, Facebook and Google have denied that they have participated in Prism and have said that they have not enabled the US government to access their systems through a "backdoor".

But Marcus Alldrick, CISO at insurance services provider Lloyd's of London, believes that consumers and business customers will now be questioning how businesses are using their data.

"Prism brings the rights of the individual to the fore. The impact on business is that by extension, people will be asking, are you compromising our information?" he told Computing at ISACA Insights World Congress 2013 in Berlin.

Alldrick said that companies such as Lloyd's have to be cognisant of laws in the regions that they operate in.

"The US Patriot Act is an example, so if you are storing and processing information in the US, then you have to be cognisant of what other legislation can take effect in those territories. So if we were transferring an individual's personal information to another country within the European Union it is generally okay to do so, but If we are going outside of the EU, then we have to reflect the constraints of the Data Protection Act or its equivalent in other European countries and apply the controls that are required to process that information outside of the EU," he said.

Lloyd's of London has a dedicated department that deals with the legal and regulatory constraints of operating in different countries.

Like many other companies, the insurance services firm is subject to e-discovery rules, by which the government can seek to obtain information from Lloyd's.

"To comply with the e-discovery exercises, we have to ensure that the request is legal, and that in responding we are acting within the law as well, and this is basically what the companies involved [in Prism] have said [that they have done]," said Alldrick.

He added that there were legal mechanisms in place to ensure that Lloyd's goes about handling this information in a legally compliant way.

"This also extends to something as simple as subject access requests under the Data Protection Act, in that we get many requests but before responding, we make sure we verify the identity of the person making the request to ensure that the data pertains to them. We know they have the right to the information, but we have to make sure that the information goes to the right person, because it is personal information," Alldrick explained.

Meanwhile, Rob Clyde, CEO of software provider Adaptive Computing, believes that enterprises may think twice about moving to a public cloud because of the Prism revelations.

"It could chill some of the moves to the public cloud as enterprises are reliant upon a service provider," he said.