Dex One - Your Business Online® » Archive » Call Security! Manage Customer Data

Call Security! Manage Customer Data—Privately

Posted December 9th, 2008 by ybo

The theft of personal customer information poses a threat to businesses large and small—and their customers. In many cases, protecting customer data is more important for small companies than for larger ones.

“Small businesses need to recognize they’re not immune to this problem. In a way, it’s almost a higher risk,” explains Jeff Carr, executive vice president of sales and marketing for LuciData, a computer forensics and internal threat management consulting company based in Minneapolis. “If larger businesses lose a customer, it’s not good, but they’ll survive. But if somebody steals information from a small business with 10 customers, that could really damage your business.”

And new regulations regarding the security of personal information may mean that losing customer data costs you even more—in fines.

Despite the fact that identity theft is rampant, few federal regulations exist regarding the protection of customer data, although some laws do govern certain industries such as health care and finance. Laws are left mostly to states.

Many states only require businesses to notify customers if their personal information is compromised as a result of unencrypted computerized data. But that’s about to change. New state regulations—including a recent law that went into effect in Nevada in October and a Massachusetts one that will follow suit in January—place tighter restrictions on the security of personal information transmitted electronically. This means that if your business is located in or has customers in those states, you must encrypt any customer information (including names, financial information and Social Security numbers) you transmit by email, FTP transfer or other non-fax electronic means.

Aside from the risk of losing customers by playing fast and loose with their data, you also may be liable in a civil suit if you don’t follow the regulations. In Nevada, a proposed enforcement plan would ensure that businesses that have a breach but complied with the new law won’t pay damages of more than $1,000 per customer for each occurrence. And if businesses don’t comply? They could face unlimited civil penalties.

Even if you don’t do business in Nevada and Massachusetts, it’s time to start protecting the security of your customer data now before regulations go into place in your state.

Here’s how to start:

Create a plan. Consider how you will protect personal data while it is being used within your company, as it travels outside the company and when it is archived. “When we do an internal threat management audit, step one is a data mapping exercise,” Carr explains. “A lot of companies don’t know where their data is stored or how files move around these days. The first thing is understanding the information and where it is.” Laptops and portable devices such as removable hard drives and flash drives are particularly vulnerable, so make certain your plan includes rules on mobile media data storage.

Build a security infrastructure. Relying on the right technology allows you to protect your business from software attacks or hackers as well as from the mishandling of data inside the company. Encryption transforms readable data into what looks like gibberish. Only a program with the same “security key” as the one that encrypted the data can make it readable again. The goal of data encryption technology is to keep your information safe, whether it’s in your office database, on laptops employees travel with or on mobiles devices such as PDAs.

“There are a number of commercially available solutions that can be purchased for less than $100 per user,” Carr says. “This is not expensive technology when you look at what’s at stake.”

There are a number of encryption packages you may want to consider. With disk encryption, the entire hard drive of a laptop, workstation or server is encrypted to guard against theft or loss. It may come in hardware form (offered by companies such as Seagate) or may be sold by computer companies (for instance, some versions of Windows Vista include a full disk encryption feature). Or you can purchase standalone disk encryption software—Check Point Full Disk Encryption, McAfee Endpoint Encryption and PGP Whole Disk Encryption are a few of the most common.

In addition, LuciData also recommends device control. “It’s software that runs on the laptop or desktop and allows you to determine or control what type of devices a user can write to,” Carr explains. You might choose, for instance, to allow employees to copy media to a USB drive or burn files to a DVD but not allow them to transfer files to their iPods. It’s worth taking precautions, Carr stresses. “What we’ve found is that by far the number one way that intellectual property or information is taken is through removable media.”

Keep an eye on things. After installing encryption, it’s important to monitor your system to ensure it’s working smoothly. Carr says most encryption software has built-in logging capabilities.

The result? You won’t have to worry about data breaches or legal troubles—and your customers’ precious personal data stays safe.