In November 2007, the United Kingdom government was embarrassed internationally when data CDs containing the names, addresses, dates of birth, and bank account details of 25 million citizens were lost in the post.
Smaller businesses may never keep such sensitive information, but they still face potential embarrassment, loss of customers, business disruption, and reduced sales if they fail to adequately protect the customer data they hold.
Many ways to lose data
Most small businesses probably haven’t considered the wide range of ways in which their customer data might be lost or inadvertently exposed to the outside world. While most people think of shadowy, criminal hackers as the number-one threat, far more businesses lose data as the result of a hard drive failure or software bug, according to research by Rubicon Consulting.
“You need to make sure your technology has a security in-depth approach to protect against threats from outside,” says Steve Martin, manager of the mid-market sector in the Pacific region for security software firm Symantec.
“If you lose a laptop, even if the person who steals it doesn’t use it, you’ve lost a lot of critical information.
“I saw one example of a pest control company that had a fire in their office. Because they didn’t back up their data, they had no records of their bookings for the next month.”
In most cases, data leaks or losses are not the results of malice, but mistakes in business processes, according to Ian Farquhar, the senior technology consultant at data security specialist RSA.
“Often data loss occurs when people use it in ways that no one anticipated,” he says. “Say you are a corporation that holds customers’ credit card numbers. Maybe you run a promotion where certain credit cardholders win a prize. The marketing person who runs that promotion might get that list and email it out of the organization or put it on a USB key without stripping out the credit card numbers first.”
Complex web of obligations
Companies in Australia operate under a complex web of legislation that governs what data they must keep and the precautions they have to take with the customer details in their care.
“Depending on the type of data stored, there are obligations at federal and state or territory level,” says Michael Park, senior associate at law firm Deacons. “There are special rules for information such as health and financial records.”
The Federal Privacy Act sets out 10 National Privacy Principles. Principle four deals with data security. It says, “… an organization must take reasonable steps to protect the personal information it holds from misuse and loss, and from unauthorized access, modification or disclosure.”
Because of their size, most Nett readers are exempt from this legal requirement.
“An organization with an annual turnover of less than A$3 million does not have to comply with the National Privacy Principles,” says Park. “However, smaller organizations are very keen from a public and customer relations point of view to show that they take privacy seriously. More often than not they would prefer to say that they’re compliant.
“The Act is not prescriptive in a technological or process sense, but the Privacy Commissioner has issued some guidelines and information sheets at privacy.gov.au.”
Many small businesses lack the technical expertise to identify the wide range of obligations, potential exposures, and preventative measures.
Security can be as much about doing things the right way as having the appropriate technologies.
“Look at your physical security: keys, alarms, and access control measures,” says Park. “With computer security, make sure you have access control for authorised users. Check a caller’s identity before giving out personal information over the phone. Look at personnel security, too – you need policies around who can access particular types of information.”
Only keep what you need
Because data storage has become fast and cheap, companies keep a lot more information than they used to in the past. There are clear and detailed legal obligations about what data – such as financial records – you must keep and for how long.
Beyond that point, “don’t keep data unless you need to”, says Park. “With the additional storage and retention of information comes the legal obligations around storing it and disclosing it to others.”
For example, any company that keeps customers’ credit card numbers must comply with the Payment Card Industry Data Security Standards (PCI DSS), an onerous set of requirements for most small companies. As a result, many SMEs prefer to use a payment gateway for credit card transactions and avoid holding this sensitive data.
“Organisations need to carefully consider at the outset what information they should be collecting from their customers,” says Park.
If you’d like to read more about managing data security, read the full article here.