Protecting Your Customer Data

Best practices in defensive data management keep you and your customers covered

From 2005 to 2008, average costs associated with data security breakdowns rose from $138 per record to $202 per record, or from $4.45 million to $6.65 million per incident. That's the bad news from the Ponemon Institute, an organization dedicated to privacy, data protection and information-security policy, which conducts an annual cost-of-a-data-breach study. Mike Spinney, the Institute's senior privacy analyst, predicts that "many companies are in for a rude awakening" in 2010, when he anticipates that the cost of a data breach will "spike."

Has your company done all it can to protect customer data? And do you check the security mechanisms in place for your customers' networks? Technology industry businesses have a better-than-average understanding of security issues, but sometimes knowledge breeds complacency. Compare your company's policies with this best practices checklist.

First, make sure you've implemented an adequate encryption system that covers data both when it's in storage and when it's being transmitted. However, "encryption in and of itself is not a silver bullet for security," says Tom Turner, senior vice president of marketing and channel sales at Q1 Labs, a provider of security information products. "All encryption can ultimately be broken."

Hackers aren't the only threat to data security. It can also be compromised by people within your company who abuse their access to customer information, a problem that cannot be solved through encryption. Visibility and oversight are key to protecting data within an organization, Turner says.

Another element of best practices in data protection is to conduct independent tests of your system. "A lot of corporations bring in third parties to do penetration tests, and that's one of the best ways to be able to get validation that you're doing the right things," Turner says. He recommends testing your system at least once a year and any time you've updated your infrastructure: "When someone's rolling out a new ERP system or a new online payment processing infrastructure, security sometimes gets forgotten. One would hope that security rigor goes into any infrastructure change to an organization's network."

If you've had—or you suspect you may have had—a security breach, transparency and public responsiveness are key to re-establishing customer trust and confidence. "There are a number of very large blue-chip companies that have had egg on their faces in the last two or three years because of data breaches, including the federal government," Turner notes. "Those that we struggle to remember now in the context of what happened to them then are the ones who did a good job of communicating, 'Hey, we had an issue, this is how we're fixing it,' and they didn't let it drag on."

If your clients want to learn more about keeping data safe, refer them to the Better Business Bureau report, Security and Privacy Made Simpler, the Federal Trade Commission report, Protecting Personal Information: A Guide for Business and the Privacy Rights Clearinghouse resource: Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace.