5 Steps to Meet Legal Requirements and Safekeep Your Customer Data

Nowadays a primary concern for a company lies with developing and deploying security solutions to protect theft-sensitive customer data. Although there are certain measures customers are to take themselves to limit safety risks, the government is committed to require that companies adopt reasonable security policies and procedures to protect data containing personal information.

Since 2001, the FTC has brought 34 cases against businesses that allegedly failed to protect consumers’ personal data. Two months ago, Sony was forced to shut down its PlayStation Network, an Internet-based service allowing for online gaming and the purchase of virtual goods and media. The closure came as a result of hackers stealing personal information of some 78 million users.

The necessity to review a federal data breach notification law is growing, since Data

Security and Breach Notification Act of 2010 failed to become a law the previous year. The recent data breaches from companies like Sony, Epsilon and ChoicePoint facilitate legislative efforts.

Below are 5 steps to be taken in order to diminish risks your customer data are exposed to:

1. Encrypt Information in Compliance with Security Requirements

To keep information secure from foreseeable attacks and unauthorized access is better than to deal with the consequences of a data breach. Avoid storing personal information in clear, readable text without a business need. Encryption – scrambling the data using a safety code – keeps information from being retrieved even if a breach takes place.
Federal Information Processing Standards Publication 140-2 announces the standard for security requirements for cryptographic modules. The standard provides four increasing, qualitative levels of protecting sensitive but unclassified information depending on potential applications and environments in which cryptographic modules may be employed. Companies that fail to employ reasonable and appropriate security measures are made to pay for their negligence.

2. Provide Immediate Notification of Consumer Database Breach

When a data breach takes place, it is vital for the defaulting company to immediately notify customers about to what extent their personal and financial information has been revealed, if it did face any exposure. In the case of the recent Sony data breach, many governmental officials expressed concerns that company’s officials failed to notify affected customers of the intrusion in due time.
Disclosure of personally identifiable data such as Social Security or driver's license number, date of birth, mother's maiden name, contact details, etc., can have much further going consequences. This information is very often used as access credentials to some accounts as they are normally the answers to security questions. Any such details happened to get into the hands of outsiders automatically mean easy access to accounts of their owners. So the sooner the alarmed customers are informed of the breach, the more chances to avoid fraud risks and identity theft they have.

3. Specify the Type of Data Compromised

Customers’ personal data held by companies range from individuals’ names and dates of birth to Social Security or driver's license numbers, account numbers, credit card numbers, phone numbers, passwords and other security codes that give outsiders access to their accounts.

The above mentioned Epsilon, an e-mail service provider with hundreds of brands among its clients, announced a data breach on March 30. The information that was obtained was limited to e-mail addresses and/or customer names only. Epsilon’s customers fell victims to phishing attacks determined to trick users out of more sensitive personal data.
Luckily, there were no credit cards numbers or social security numbers reported compromised. Otherwise, rogues could commit medical identity theft, use customers’ money for paying different sorts of bills or take control of their accounts.

4. Provide Customers with Free Credit Monitoring

Though not yet made mandatory by federal law, financial responsibility to customers could be a strong stimulus for companies to introduce reasonable safeguards for the highly-sensitive information they maintain.

According to the U.S. Federal Trade Commission, nearly 10 million Americans fell victim to identity theft last year, at an average cost of $5,000 per victim. A credit monitoring service alerts customers, usually on a daily or weekly basis, of changes their credit, thus, helping to stop the theft before it gets out of control.

5. Ensure Safe Disposal of Storage Devices

Make sure that data carriers you no longer need are absolutely unreadable, whether it’s a digital or a paper record. With computers, mere deleting won’t work as information can still be retrieved from computer’s hard drive. Disk encryption could be a correct way out.
Enhancing information security involves managerial efforts and financial spending. But a failure to secure personal or customer data from cybercriminals puts the company’s reputation at stake. So employing proper data encryption and data loss prevention technologies are worth the effort, because they are aimed at protecting intangibles.