Guide to Protecting Customer Data

With each passing year, cyber attacks against companies around the world increase in both number and intensity. In addition to lost shareholder value, damaged reputations and exposure to lawsuits, financial losses following security breaches can reach as high as tens of millions of dollars.

Consequently, the protection and use of customer data is a top concern for any organization that values its customers. This is especially true when it comes to protecting cardholder data and personal information, which were compromised in recent high-profile cyber attacks against well-known brands and retailers. Organizations that fail to meet stringent regulations in regard to data security and payment standards can face fines, penalties and even termination of the right to accept credit and debit cards.

In an attempt to combat data breaches, U.S. card companies are mandating a migration to EMV standards of credit-card transactions. EMV is an encrypted method of transferring credit data. European markets and other developed countries have already completed the migration to EMV and saw a drastic reduction of credit-related fraud; the hope is that EMV implementation in the U.S. will have a similar effect. To learn more about EMV, check out our step-by-step guide to EMV migration.

EMV migration may help in protecting your customer data, but there are many other steps you can take to ensure your customers’ privacy. While managing personal customer information is necessary for conducting transactions, having a plan in place for the assessment, protection and disposal of customer data can bolster your organization against potential cyber threats.

Assess Your Customer Data

As a place of business, you’re entrusted with the handling and proper management of sensitive customer data. Companies that handle and store sensitive personal information (i.e. names, credit-card numbers, PINs and other account data) must comply with state and federal laws, and meet industry standards to mitigate their risk of fraud and exposure to data compromise. The Payment Card Industry Data Security Standards (PCI DSS) sets such rules for companies that receive and store customer credit-card information.

Before rolling out a data-security plan, take stock of the customer data you receive, process and manage on a daily basis. Sensitive and personal information includes (but is not limited to):

• Social Security numbers
• Credit-card and debit-card numbers (e.g. primary account numbers, expiration dates, three-digit security codes, etc.)
• Bank account numbers
• Driver’s license numbers
• Home addresses
• Telephone numbers
• Income information
• Race, nationality, gender or religion
• Medical records

Speak with employees in your sales, accounting, IT and HR departments to find out what type of personal information is coming into your company and how that information flows throughout your organization. You’ll also want to:

• Identify and survey employees who have access to sensitive customer data.
• Determine where, how and from whom you collect personal and sensitive information. For example, what type of data do you receive from job applicants or credit-card companies? Do you receive most of this information digitally, over the phone or via snail mail?
• Check and inventory office equipment and electronics (e.g. computers, flash drives, laptops, tablets, etc.) in your business that receive and save personal customer data.

Evaluating how your organization collects data, as well as where that data is collected, will help you customize a plan that effectively safeguards customer information. As you inventory the various pieces of information, each of which may pose varying risks, be sure to review statutes like the Fair Credit Reporting Act and Gramm-Leach-Bliley Act for further guidance on how to securely share, protect and store customer data.

Protect and Safeguard Customer Data

The U.S. Federal Trade Commission (FTC) advises, “If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. In fact, don’t even collect it.” In other words, only collect and keep customer data that serves a legitimate business need. And even in this instance, you should only keep sensitive information in your database for as long as you have a business reason to use or store it.

Once you know what customer information you have in your electronic and paper files, it’s time to invest in digital and physical security systems to secure that data. This also means developing data-security education and training programs for employees, vendors and any other stakeholders that handle your customers’ information. Visit the FTC website for more information on the various laws and rules governing data privacy and security in businesses. Additionally, consider incorporating some of the following measures into your own data-security plan:

Electronic Security

• Authenticate: Make sure your company’s computers have basic security measures implemented, including a strong administrator password and the latest firewall and antivirus software installed.
• Encrypt: Where appropriate, encrypt restricted data to protect sensitive information that is transferred across networks.
• Monitor: Storage facilities that house servers should be monitored continually. Servers should also have backup power sources in the event of an outage or maintenance.
• Educate: Advise workers to follow best practices on transmitting sensitive data over networks and storing paper forms in secure areas (e.g. locked cabinets and closets). This includes:
• Using strong passwords and avoiding common ones like “password,” “123456” and “LetMeIn.”
• Minimizing peer-to-peer (P2P) file sharing. Aside from potential IP-infringing uses, P2P networks can expose your company to security flaws through unsecured connections.
• Deleting and reporting suspicious emails (see OnGuardOnline.gov for examples of phishing emails).
• Turning off company computers when not in use.
• Creating backups of important files.

Physical Security

• Store paper documentation, CDs, DVDs, floppy disks, external hard drives, USB flash drives and other storage devices that contain personal and sensitive customer information in locked rooms, cabinets and closets.
• Restrict access to onsite and offsite storage facilities to employees with proper authorization.
• Inventory and monitor PIN pads and other devices that gather confidential data in order to minimize exposure to security breaches.
• When shipping sensitive customer information, use an overnight shipping carrier to track the status of your delivery. Encrypt data stored on CDs, floppy disks or zip drives, and keep records on what’s being shipped.

Responsibly Dispose of Paper and Electronic Waste

Once you no longer have a business use for equipment and other devices that store confidential customer information, it’s critically important that you remove all the data from them. Institute a policy wherein desktops, laptops, servers and other electronic devices must be “sanitized” (i.e. a process that overwrites the entire hard drive, making the data irrecoverable) before workers throw away or donate the equipment. Similarly, paperwork containing confidential customer data should be shredded, burned or pulverized before it’s tossed. Instituting these policies helps:

• Prevent unauthorized users from gaining access to customers’ financial data and personal records.
• Prevent unauthorized access to and use of licensed software accounts that your business paid for, such as Microsoft Office or Adobe Creative Suite.

Simply deleting or moving information to the trash icon on the computer’s desktop is insufficient since the data still resides on the hard drive and can be recovered by thieves. Instead, “wipe” the drives in the system with a disk-wiping software program like DBAN Hard Drive Secure Wipe or Eraser . Brown University also provides a list of recommended disk-wiping software on its information-technology website. Alternatively, you can contract with a vendor to perform the data sanitization for you.

Create a Crisis-Management Plan

Security breaches can and often do happen. Therefore, it’s important to have an incident-management plan in place to quickly and effectively investigate and respond to data breaches when they occur. For instance, proactive steps you can take to prevent and manage crises include:

• Designating a senior staff member to oversee and implement the plan when crises arise.
• Disconnecting desktops, laptops, digital copiers and other electronic equipment from your company network in the event of a security breach or cyber attack.
• Investigating security incidents immediately, and closing security gaps and other threats to customer information.

If a security incident arises, you may be required by law to notify customers, credit bureaus, law enforcement and other companies impacted by the breach. Reach out to an attorney for help on navigating any laws and guidelines for reporting on and addressing data breaches.

Additional Data-Security Resources

The FTC has numerous publications offering tips on protecting and securing confidential business data. Furthermore, the resources below offer additional insights into security awareness and readiness, as well as downloads of the latest security updates and patches to ensure your systems are protected.

• Educause Security Awareness
• Microsoft Safety & Security Center
• SANS Internet Storm Center
• SecureMac

As previously mentioned, updated POS systems and EMV processing can also go a long way to preventing data breaches. For more info on EMV standards, check out our step-by-step guide to EMV migration.