BreachExchange mailing list archives
Six basic procedures to help avoid data protection breaches
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 30 Jan 2015 18:55:47 -0700
http://businessandleadership.com/leadership/item/49278-six-basic-procedures-to-hel Almost all organisations have data relating to their customers but many do not have the procedures in place to ensure that information is being securely stored, writes Fintan Lawlor. 2014 was a year full of data protection breaches and full of fines and court cases as a result. While big international names such as Sony and Apple took the limelight as a result of outsiders hacking into their systems, many cases have been the result of negligence and a lack of understanding when it comes to data protection law. Many businesses were prosecuted by the office of the data protection commissioner. In December, it was revealed that grant applications to the University of Limerick had been leaked, while in July Paddy Power was the centre of attention after almost 650,000 customers’ contact details was stolen. While such organisations may have the finances to pay the legal costs and fines associated with a breach of customer privacy, for many small and medium enterprises (SMEs) they can be the noose that results in the demise of their business. Most small businesses in Ireland don’t have the finances to pay for a dedicated data protection expert on their staff but that does not and should not obviate them from the responsibility of protecting and where appropriate destroying customer information. As an example, some smaller businesses that faced fines and legal action last year include private investigators, like MCK Investigators (fined €7,500) and Michael Gaynor (€5,000), who were hired by credit unions to track down bad debtors, and the pharmacist who was sued for €38,000 after sharing CCTV footage with the husband of a woman purchasing a pregnancy test. There are good reasons why companies collect as much information as they can on their customers. The better a company knows its customers, the better it can lock up their business by targeting them with products, services and discounts. The following procedures are basic good practice for any company that collects and stores customer information. 1. Audit data privacy Step one is to understand what data your business needs, what data it's collecting and how data is being stored and secured. Consider also your legal obligations if you handle medical, financial or minors' data. With the countless sources of information available to us today, via social media and advertising platforms, it is easy to collect more data than you realise. If you can’t appoint someone to take charge of auditing your data then you must fulfil that role. 2. Customer data isn’t just digital With all the talk of big data, Facebook and e-commerce it’s easy to forget that we as businesses store customer information in a range of forms, from printed and signed contracts and CCTV footage to images and application forms. It is your duty to ensure all forms of data are managed safely. 3. Minimise data collection and retention The more data you have the greater your risk. Conversely, what you don't have can't hurt you. Only collect and store data you need to deliver your product or service. 4. Ensure data is secure Even if you don't take credit card numbers, other personal data you keep could be valuable to hackers and identity thieves. Not only is it embarrassing but it can be costly if you have to tell customers their personal information has been compromised in a hack. Remember that you are legally obliged to disclose a breach. In short, be sure you have secured your network, databases and website. 5. Privacy policy Commercial website owners are required by law to post a privacy policy. Most app platforms also require one of the app transmits data. It isn't enough to cut and paste a boilerplate policy. Regulators consider privacy policies legally binding agreements between you and your customers. You should describe your current business practices fully and accurately. 6. Communicate A privacy policy is a legal document that customers rarely read. But they do expect simple and clear descriptions of company data practices at key moments, such as when they're asked to provide data and when you add new features to a product or service or make policy changes. Be upfront when communicating with customers about data you collect and your plans for using it.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Six basic procedures to help avoid data protection breaches Audrey McNeil (Feb 03)