Recently at HostingCon 2016 in New Orleans, our CEO Jay Sudowski was part of a panel discussion about threats to web hosting companies and how to handle those threats and the regulations that govern them.
The discussion was titled, “Five Immediate Threats to Your Business and How to Handle Them.”
Joining Jay on the panel were Dakota Graves, Community Manager for i2Coalition, Jane Shih, Assistant General Counsel for The Endurance International Group, Inc., and David Snead, General Counsel for cPanel.
For many years, i2Coaltion has been working towards identifying and reducing regulations and policies that target web hosting companies. The panel members shared some actionable tips to help web hosts address regulation and threats, while also handling network security issues.
How Should Web Hosts Deal with Requests to Access Data?
First, it’s important to understand that some policies around government’s access to data are out of sync. There is some new legislation in flux, at the time of this writing, regarding Privacy Shield which will have some big EU implications. So what do you do when you get a request from a country outside of Privacy Shield? It’s not a good idea to ignore it. However it’s important to only send information to countries that have laws that adequately protect private information.
Which Law Enforcement Agencies have Oversight of your Business?
What happens when the FBI comes in and needs to take a rack of servers? To avoid tension with law enforcement agencies, it’s important to proactively communicate with them. It’s recommended that you develop a relationship with an FBI liaison before a problem arises. Invite your FBI liaison in for a tour of your business and help them understand exactly what you do.
OFAC is the Office of Foreign Access Control and is part of the US Department of the Treasury. They administer and enforce trade sanctions based on national security. Web hosting companies should make themselves familiar with this organization.
Know who your customers are and what organizations or agencies have oversight of their businesses. For example, healthcare companies need to be in compliance with HIPAA. HIPAA is regulated by US Department of Health and Human Services' Office of Civil Rights (OCR). And companies that do affiliate marketing would fall under the watchful eye of the Federal Trade Commission (FTC).
How Should a Web Host Handle Law Enforcement?
Your team needs to understand, proactively, that your firm is not being targeted by law enforcement. It’s best to show them how to handle requests before they happen. Develop a process for what to do when someone shows up with a badge and a subpoena. Remember, the issue at hand could be civil or criminal. It’s important with law enforcement to be responsive, but you don’t necessarily need to be compliant. Educate yourself on what could be illegal requests or completely disruptive to your operations. i2Coalition is developing a list of who to contact for more help.
How Can a Hosting Company Recoup Costs?
A web hosting company has the right to actually bill law enforcement for the time lost. This process can take some time, but it has worked. Make sure to have a provision in your Terms of Service (TOS) that allows you to chargeback costs of compliance, including both law enforcement and civil compliance.
Keep in mind enforcing regulations is the job of these agencies. It’s best to help organizations, like the FBI, do their jobs in a way that is not confrontational. And remember to turn to i2Coalition for help, preferably in advance of possible situations discussed in this article.
What other threats or regulatory agencies have you dealt with? Share your experiences in the section for comments below.