Six basic procedures to help avoid data protection breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://businessandleadership.com/leadership/item/49278-six-basic-procedures-to-hel


Almost all organisations have data relating to their customers but many do
not have the procedures in place to ensure that information is being
securely stored, writes Fintan Lawlor.

2014 was a year full of data protection breaches and full of fines and
court cases as a result. While big international names such as Sony and
Apple took the limelight as a result of outsiders hacking into their
systems, many cases have been the result of negligence and a lack of
understanding when it comes to data protection law.

Many businesses were prosecuted by the office of the data protection
commissioner. In December, it was revealed that grant applications to the
University of Limerick had been leaked, while in July Paddy Power was the
centre of attention after almost 650,000 customers’ contact details was
stolen.

While such organisations may have the finances to pay the legal costs and
fines associated with a breach of customer privacy, for many small and
medium enterprises (SMEs) they can be the noose that results in the demise
of their business.

Most small businesses in Ireland don’t have the finances to pay for a
dedicated data protection expert on their staff but that does not and
should not obviate them from the responsibility of protecting and where
appropriate destroying customer information. As an example, some smaller
businesses that faced fines and legal action last year include private
investigators, like MCK Investigators (fined €7,500) and Michael Gaynor
(€5,000), who were hired by credit unions to track down bad debtors, and
the pharmacist who was sued for €38,000 after sharing CCTV footage with the
husband of a woman purchasing a pregnancy test.

There are good reasons why companies collect as much information as they
can on their customers. The better a company knows its customers, the
better it can lock up their business by targeting them with products,
services and discounts.

The following procedures are basic good practice for any company that
collects and stores customer information.

1. Audit data privacy

Step one is to understand what data your business needs, what data it's
collecting and how data is being stored and secured. Consider also your
legal obligations if you handle medical, financial or minors' data.

With the countless sources of information available to us today, via social
media and advertising platforms, it is easy to collect more data than you
realise. If you can’t appoint someone to take charge of auditing your data
then you must fulfil that role.

2. Customer data isn’t just digital

With all the talk of big data, Facebook and e-commerce it’s easy to forget
that we as businesses store customer information in a range of forms, from
printed and signed contracts and CCTV footage to images and application
forms. It is your duty to ensure all forms of data are managed safely.

3. Minimise data collection and retention

The more data you have the greater your risk. Conversely, what you don't
have can't hurt you. Only collect and store data you need to deliver your
product or service.

4. Ensure data is secure

Even if you don't take credit card numbers, other personal data you keep
could be valuable to hackers and identity thieves. Not only is it
embarrassing but it can be costly if you have to tell customers their
personal information has been compromised in a hack. Remember that you are
legally obliged to disclose a breach. In short, be sure you have secured
your network, databases and website.

5. Privacy policy

Commercial website owners are required by law to post a privacy policy.
Most app platforms also require one of the app transmits data. It isn't
enough to cut and paste a boilerplate policy. Regulators consider privacy
policies legally binding agreements between you and your customers. You
should describe your current business practices fully and accurately.

6. Communicate

A privacy policy is a legal document that customers rarely read. But they
do expect simple and clear descriptions of company data practices at key
moments, such as when they're asked to provide data and when you add new
features to a product or service or make policy changes. Be upfront when
communicating with customers about data you collect and your plans for
using it.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!