Data Privacy Day. Do you know where your customer information is?
If your answer is somewhere in the "no" to "sort of, for the most part" range, you've got work to do. Even if your answer is a resounding "yes," it might be time to revisit how you handle and protect customer information -- especially if those processes were developed a couple of years ago or more.
The penalties for poor data protection and privacy practices can be stiff, ranging from negative publicity and embarrassment to costly fines and lawsuits. The fallout can be broad. In a recent Harris Interactive poll sponsored by TRUSTe, 89% of U.S. consumers said they had avoided doing business with a company because of concerns about how it handled their online privacy.
[ Do companies share too much customer data? Read FTC Sets Consumer Data Collection Limits. ]
As a result, behemoths like Google and Microsoft are paying plenty of attention to customer data protection and privacy issues -- it would simply be bad business if they didn't. Google, for one, used Data Privacy Day to explain how it handles government requests for user data. Such requests have been growing in volume lately. Yet protecting customer information isn't just a Fortune 500 issue; it affects companies of nearly all shapes and sizes.
In an interview with InformationWeek, Online Trust Alliance executive director and president Craig Spiezle shared six ways SMBs can polish their approach to data protection and privacy matters.
1. Make Customer Data More Than An IT Problem.
A common SMB approach to safeguarding customer information is to treat it as an IT responsibility. Fair enough, but too many SMBs treat it as only an IT responsibility, according to Spiezle. While IT is usually best suited to handle the technologies and technical processes involved in storing and securing data, it is often in the dark regarding how data is used and shared elsewhere in the organization. In fact, Spiezle said his recent work with the FBI and U.S. Secret Service revealed that confusion among company executives and employees is a regular roadblock in data-breach investigations.
"[SMBs] have to view data protection and privacy as a holistic, company-wide effort," Spiezle said. "If they only focus on it as an IT issue, they will most likely fail."
2. Reevaluate Your Data Encryption Practices.
Encrypting sensitive customer data might sound like a given in 2013. It's not. Failing to use encryption properly, Spiezle said, is a particularly high risk. An organization might encrypt customer data in certain states or process steps but fail to do so when it's in motion or in use on an employee's desktop, for example. Best practices and recommendations for encryption technologies will vary by business and industry; regulatory compliance like HIPAA or PCI will often have a heavy influence. Spiezle advises two global practices. First, if you haven't recently re-evaluated your encryption processes and technologies, they're probably not good enough. "Companies that were encrypted based on what standards were five years ago are easily broken into today," Spiezle said.
Second, Spiezle recommends whole-disk encryption instead of file-level encryption, especially for employees who work with customer data on their PCs or mobile devices. Whole-disk encryption, such as what's on offer for Apple's iOS or Microsoft's Windows, can help better protect against fallout from lost laptops and other hardware.
3. Consider Data Loss Prevention (DLP) Technologies.
Spiezle advises larger companies to begin to consider a data loss prevention (DLP) platform for rules-based data monitoring and tracking. Such technologies enable an administrator to automate and enforce certain policies governing the use and movement of customer data. For example, set a rule that prevents any files that include a social security number from being sent outside the company. "You're preventing either an accidental disclosure or an employee overtly sending data out to someone [outside] the company," Spiezle said.
By "larger" companies, Spiezle is not referring to employees or revenue but the amount of data you're dealing with. "I've seen companies with as little as 100 employees using [DLP]," Spiezle said. "Certainly, anyone that's dealing in [healthcare] or a securities business is probably already thinking about this." A related scenario where smaller companies might find a return on a DLP investment: Service providers that count highly regulated industries and other high-risk businesses among their customers. It might be a necessity to be deemed trustworthy.
4. Include Customer Privacy In Cloud Vendor Negotiations.
As SMBs adopt cloud applications in greater numbers, Spiezle believes customer data protection needs to be a part of contracts and negotiations. The standard language in many such agreements might not be enough, he said. One example: "We adhere to best practices to protect your data," or some version of that same claim. The problem, according to Spiezle: "That may not be good enough for your business, and you may really want to pressure [them on] that." Another example: A cloud vendor's general promise to notify you in the event of loss of sensitive information. The problem: "They may not really know what's sensitive to your customers or your markets," Spiezle said.
As a result, Spiezle encourages SMBs to ask cloud providers to include addendums to the standard agreement that cover their specific needs for protecting customer data and privacy. Don't expect a warm response, though. "Vendors don't want to do one-off deals." Nonetheless, it's an important area to address. In the event of a data-related incident, your customers won't want to hear: "It's the cloud's fault."
5. Address The BYOD Issue.
Yes, bring-your-own-device (BYOD) is a customer data issue, too. Spiezle's in the camp that sees BYOD as inevitable. No matter your viewpoint, employee mobile devices add an order of magnitude to protecting customer information and privacy. A recent survey paid for by EVault found nearly one-third of U.S. employees had corporate data stored on their personal smartphones.
Spiezle recommends remote wiping capability as a key tool for managing the mobile-related risks. At bare minimum, he advised including a BYOD policy clause that requires employees to notify the company in the event of a lost or stolen device so that it can take steps to prevent data loss.
6. Retain Data Logs For Longer.
As a matter of process rather than technology, Spiezle recommends keeping data logs for things like firewalls or application servers for at least one year, if not longer. "What we find is a lot of administrators only keep them for 30 days, or they inadvertently shut them off when they're doing something [else]," Spiezle said. That can cause problems when trying to determine the cause of data-related incidents; Spiezle noted those incidents are often not discovered until after the fact.
"There's really no reason why you wouldn't want to keep your past 12 months of data in those logs," he said. "It's really important because it can help in forensics capability. It can also help detect abnormal behavior and patterns of someone who's attempting to breach your perimeter."
InformationWeek is surveying IT executives on global IT strategies. Upon completion of our survey, you will be eligible to enter a drawing to receive an Apple 32-GB iPad mini. Take our