In the midst of the digital revolution, the stakes for electronics distributors trying to safeguard the privacy and security of customers is constantly on the rise.
There was a time when distributors’ biggest worry was keeping Dell’s orders isolated from Hewlett-Packard’s. Now, intellectual property (IP) protection is the channel’s responsibility. One example: Distributors program FPGAs, PLD, and similar devices in bulk for their customers. That requires customers to transmit proprietary code and IP to distributors’ programming facilities.
“There’s a lot been going on regarding programming in the past five years,” said Don Elario, who heads the ECIA’s Global Industry Practices Committee (GIPC). “When you engage with the top-tier tech companies of the world, their IP and identity protection expectations are very high.”
The Electronic Components Industry Association (ECIA) represents distributors, component manufacturers and manufacturers’ reps; develops industry-specific guidelines and best practices; and works closely with international standards organizations. The ISO 27000 series of standards addresses the security of information and software exchanged within an organization or with any external entity, Elario said.
ISO 27000 provides a process framework for IT security implementation and can also assist in determining the status of information security and the degree of compliance with security policies, directives and standards. It promotes efficient security cost management, compliance with laws and regulations, and a level of interoperability due to a common set of guidelines followed by partners. It can improve IT information security system quality assurance (QA) and increase security awareness among employees, customers and vendors, and it can increase IT and business alignment.
Among its guidelines, ISO advocates the development of formal exchange policies, procedures and controls to protect data shared internally or externally through all communications methods.
As an industry, Elario said, distributors have spent time, effort, and resources to understand and comply with ISO 27000. “[IP protection] is extremely important to companies that go to distributors for programming,” he said. “Their IT systems must work together, and agreements must encompass how the systems are going to protect the code and programming. Those efforts [within the channel] have been ongoing and strong. Customers are demanding protection not just for code but for their identities.”
As distributors get more involved with high-level global customers, he added, “their security and privacy services have to be appropriate for that space.”
ISO 27000 advises policies cover the protection of data “at rest.” This includes antimalware controls and guidelines for the retention and disposal of information. Any policy needs to cover all methods of modern communication.
In this regard, distributors’ responsibilities are twofold. They must protect against the insertion of malware or malicious code into the components they store, sell and transport. They also must guarantee – for the component’s entire lifecycle– that the parts are authentic.
Protecting parts, point-of-sale & provenance
Best practices guide customers to buy only through authorized distribution. These resellers take possession of components directly from the factory and then track and trace them throughout their lifespan. They also adhere to all quality, storage, and handling practices required by suppliers.
Components frequently are sold to non-authorized distributors, most of which won’t touch factory-sealed boxes. Less scrupulous entities may mix counterfeit parts with authentic products; tamper with the markings or even coding of chips; and fail to provide the provenance of the devices. Suppliers may not honor warrantees on such parts.
Supplier-distributor relationships also require significant data exchange about customers – OEMs, EMS providers and designers. This has always been a sticky issue for the channel. Suppliers want to know who is buying their products and what applications they’re targeting. They also reward distributors for assisting with customers’ designs. This requires information beyond customer identities, buying habits, pricing and shipping agreements. It requires information about their designs.
Privacy laws are changing the way distributors share customer and point-of-sale (POS) information with their suppliers. A California privacy law recently caught the supply chain’s attention. Like the EU’s General Data Protection Regulation (GDPR), according to ECIA, the law permits an individual to know what information is being collected about them, with whom that data is being shared and permit data collected about them deleted.
The statute adds requirements about the sale/transfer of data to third parties and specifically permits an individual to opt out of data sales to third parties. The act, in short, clearly establishes the principle that consumers own and control their personal information.
One unique provision is that the law permits businesses to incentivize consumers who allow for the sale of their personal information. These financial incentives could include a different price, rate, level, or quality of goods and services when "reasonably related" to the value provided to the consumer by use of the consumer's data.
The new law is likely to have broad application throughout the digital world, according to Robin Gray, chief operating officer and general counsel of ECIA. The supply chain is proceeding with caution.
“GDPR has been impacting the reporting between suppliers, distributors and customers,” Elario said. “[ECIA] has been reviewing POS guidance. There will be some adjustment to POS to be compliant with GDPR.”
The channel has embraced the digital evolution and manages data at multiple levels, including customers’ financial information; supplier technology roadmaps; and board and systems designs. It could be a challenge, experts say, for the supply chain to match technology’s rate of change.