How to Protect Customer Information
Any size business, organization, or governmental agency collects customer information. Whether you accept orders or provide a service, your business is involved in the transaction of sensitive customer data.
There are rules and regulations around how customer data should be handled. For example, businesses that sell to California residents must abide by the CCPA or the California Consumer Privacy Act. While this is essentially good for your customer’s personal data, it often creates a lot more work for businesses that aren’t prepared for data security. If you’re a small business, then you might struggle to inform your customers of their privacy rights, which may be required by regulation, and to store data correctly.
In either case, with the rise of enterprise data breaches and insider threats, you must protect customer information. Here is what you need to know and how you can protect customer information:
Why is it Important to Protect Customer Information?
Any information that a business collects and may be required to store needs to be protected. Some critical data that is collected include employee records, customer information, transactions, and loyalty schemes. Not only is protecting this information legally required, but it is also critical to maintaining your business!
Unfortunately, there is a mixture of federal and state laws that govern data protection. Unlike Europe, which is protected under the Federal Data Protection Act, businesses in the United States must do their due diligence to protect customer information according to relevant regulations. The Federal Data Protection Act is a good way to get on common ground for data practice as it documents how organizations, businesses, and governments must keep data accurate, secure, lawful, and safe, and it may apply to businesses who work with consumers or business partners from the EU.
This Act lists a set of principles that ensure the data is:
- Stored in a specific way
- Not kept for longer than necessary
- Only used in relevant ways
- Used within the confines of the law
- Stored following the people’s data protection rights (within the relevant jurisdictions)
Outside of regulatory reasons, businesses should pay close attention to how their data is stored because poor data management could risk the business altogether. If data is not protected with multi-factor authentication, authorization requirements, or the principle of least privilege being observed, then sensitive or personal data can be accessed by unauthorized employees, malicious employees, or hacked into from a malicious third party.
With this information, malicious actors could take the data and run with it. Whether they are threatening to sell the data, holding the company ransom, or creating a data breach issue, your company could be held liable for this, financially drained, and depleted. You will also lose trust from your existing customers, and business could go down. You must do whatever needs to be done to prevent this!
What Data Need to be Protected?
Sensitive data come in all shapes and sizes. For the most part, businesses can get their hands on a number of sensitive data. While employer and customer names, phone numbers, email addresses, and mailing addresses are considered sensitive information, they are, for the most part, already publicly available. But this does not mean that you do not need to go to lengths to protect this information.
If you collect more sensitive information than this, like social security numbers, credit card numbers, bank account, and personal account data, this data could identify customers and employees, and leaking this information out of the company could spell disaster for these people. You might end up collecting this information if you have to fill orders, meet payroll, pay taxes, or provide payment or customer data to a third party for order processing. If this sensitive data falls into the wrong hands, you might be perpetuating identity theft, bank fraud, or worse, and you will be held liable.
Security breaches cost a lot of money as well. The cost will depend on the type of data. Personally identifiable information, financial information, and intellectual property are the three most important types of data that a company can collect and need to be protected. It helps that businesses categorize this data and come up with a clear plan of action to protect it.
Building a Sound Security Plan
Even as a small business, it can be hard to develop a viable security plan for customers or sensitive data. In either case, you need to do what is best for your business and your clients.
Consider a security plan predicated on the Federal Trade Commission’s five principles for data protection:
1. Take Stock
The first step in securing your business’ data is to take stock. Taking stock refers to looking at all of the inventory on your company computers, mobile devices, laptops, disks, home computers, flash drives, and all of the technology that your business uses (including access points through your Internet of Things) and tracking down all of the places where your company stores sensitive data.
You might not realize that you accidentally have kept sensitive company data on a rogue USB or flash drive from the 2000s. Or, you find that you logged into a personal computer with your work credentials. These lose ends are points in which a malicious actor can take advantage of your business and use it to their advantage (and against you).
You will also want to connect with third parties, old contractors, websites, call centers, former employees, remote employees, and other digital services that you have worked with. Like your company’s filing cabinets and computer systems, these businesses may have data about your company or have collected data from your employers and customers on your behalf. This could be a potential vulnerability.
To track this information, you might have to work in reverse. Think about who would be sending personal information to your business. Look at how your company receives this personal information, and identify exactly which piece of information is received at each entry point. Tedious, yes, but extremely helpful to tracking down potential vulnerabilities.
2. Scale Down
Once you’ve gone through and identified all of the data your company has and the way it collects it, begin to scale down. Ask whether or not your business needs to keep this information or if it is redundant. If customers can pay for your service using a website and mobile app, then look at whether or not your business is handling that sensitive data or if a third party can process that on your behalf.
Don’t collect anything unnecessarily. Social security numbers, for example, should only be used for lawful purposes like reporting employee taxes. Customer credit card information should also be removed unless your business needs it.
3. Lock It
The data that you do need to keep must be protected. Consider both physical and digital security. If you are storing the data on-site, then you will need to provide physical security measures. Otherwise, go with a third party you trust and who can ensure security.
For physical security, be sure that all the personally identifiable information is locked in a cabinet. You should also have access controls that use the least privilege so that only those who are authorized to enter the protected spaces do so.
For digital or electronic security, you will have to consider a robust networking security plan. Track all of your company’s connections and put up network security measures, like firewall, anti-virus, anti-malware, and anti-track protections. Encrypt sensitive information, especially if it needs to be sent to a third party.
Regularly run screening tests for malware, viruses, and vulnerabilities. Your employees also need to be trained for changing passwords, locking computers, not sharing passwords, and reporting security incidents.
4. Pitch It
Properly dispose of the data that you don’t need. If you have a credit card number on file, then you’ll need to shred that information before trashing it properly. If you use a professional shredder, be sure that you can trust them. Other information stored digitally should be properly disposed of.
Employees who work from home will also need to go through these similar procedures. Make sure that they know to not only move items to trash but also clear the trash. They may need to go through password changes and run anti-virus software.
5. Plan Ahead
Once you have cleared out the things you don’t need and protected that information you do need, then you can plan. You’ll want a plan in place should a security breach occur. You would need someone to contact, as well as a mitigation strategy, which includes backdoor access and protocols for information employees.
If you do not have firewalls, anti-virus software, or monitoring tools in place, then you will need to deploy these. If you work with a remote team, you’ll need to find software they can download.
Protecting Your Customer Data With Employee Monitoring Software
Protecting your customer data is essential for your business operations. While you can’t control every aspect of your business operations, you can monitor it to keep an eye on it and stop threats before they get worse. Employee monitoring software can be deployed on enterprise systems and in remote workplace settings. With employee monitoring software, businesses can track common user behaviors and are alerted when something atypical happens.
This software also gives employers a birds-eye-view into their employee workdays. View a remote computer screen to see if your employee is actually working or if a malicious actor has gotten onto your work computer. Or, read your employees’ messages to see if they are an insider threat.
While employee monitoring will add to your company’s security, it will also provide productivity management. See how many hours your employees are working or whether they are wasting time. With this insight, you can boost security and get a better grasp on your bottom line!