Question regarding "Customer Property"

lorenambrose

Quality Assurance Manager
Would an internet service provider regard the data that a customer sends and receives over its network as Customer Property as addressed in 8.5.3
Property Belonging to Customers or External Providers
?

My initial thought is NO as there are too many variables making up the internet that are out of your control.

Opinions?

Regards,
Loren
 

yodon

Leader
Super Moderator
I'm not an AS guy but what's the impact if the data is lost while in your custody? What about if it's exposed from a hack?
 

lorenambrose

Quality Assurance Manager
We provide internet service, a connection to the internet. We do not store data anywhere. I suppose I was just pondering about ISPs in general. In this information age, does the world of AS or ISO consider this transmitted data to be customer property that must be safeguarded?
 

Big Jim

Admin
I understand your concern. The note following 8.5.3 includes that "customer or external provider property can include . . . intellectual property, and personal data."

Be aware that notes are to provide illumination and cannot be used to write a nonconformance. This one specifically says "can" not "shall". It provides guidance, not a requirement. It is something you may want to consider, but you are not locked into it.

In practical application I would venture to say that if you are not dealing with customer's credit cards you don't likely have anything to worry about. If you do accept payment with a credit card you should have safeguards such as immediately shredding the number after use or if it retained it is using a secure server.
 

Miner

Forum Moderator
Leader
Admin
From a different perspective, consider that you run an armored car service for banks. You stop at one bank and pick up the bank's money and transport that customer's property (money) to another location and deliver it. You do not retain any of the money, but you are responsible for that money while it is in your possession. You are responsible for preventing theft, loss through negligence, etc.

Applying this analogy to an ISP, you would be responsible for ensuring the data are transmitted from point A to point B, the data are not lost or corrupted, intellectual property is not copied/stolen while en route.
 

Randall Beck

Involved In Discussions
Excellent analogy Minor. If you are being paid for the data you deliver I am not sure how that could be considered anything but a service product. Many changed to AS9100:2015 were specifically added to include services as products.

In the very least, I would certainly think that ITAR and the new Department of Defense cybersecurity CMMC regulation considerations need to be investigated for ISP's.

Very small companies are being required to spend $30-100k to protect their proprietary information in their establishments on their own IT infrastructure. I can only imagine the national security risk that ISP's have to protect sensitive data transportation of government contracts or other information.
 

Randy

Super Moderator
My initial thought is NO as there are too many variables making up the internet that are out of your control.

8.5.3
NOTE A customer’s or external provider’s property can include materials, components, tools and equipment, premises, intellectual property and personal data.

The bold-italics pretty much deflate your NO.
 

lorenambrose

Quality Assurance Manager
Great discussion. My hesitation is the words "possession" and "control". We do neither in any form. This is why I would disagree with the Armored Car analogy. There is no possession in our case. If you send data from your home to your work via the internet and it gets corrupt or hacked, I do not think your ISP would have any liability at all. A shopping mall has a parking lot but is not if someone backs into you or breaks into your vehicle you cannot hold the shopping mall liable.
 

Randy

Super Moderator
A shopping mall has a parking lot but is not if someone backs into you or breaks into your vehicle you cannot hold the shopping mall liable.

Wanna bet? Ever hear the words "Lawyers", "suit", "litigation", "negligent damages"? (retired cop here)
 

Miner

Forum Moderator
Leader
Admin
A shopping mall has a parking lot but is not if someone backs into you or breaks into your vehicle you cannot hold the shopping mall liable.

This is from a quick internet search: "Corporate property owners are responsible for the common areas like parking lots, walkways, restrooms, elevators and escalators. Owners of shopping centers are obligated to ensure the safety of visitors from the moment they enter the parking lot".
 
Top Bottom