Andy Moon summarizes the five key issues covered by the Federal Trade Commission's guidelines for businesses that store sensitive customer data.
Financial giant HSBC recently amended its previous public statements and confessed that an IT employee walked out with data on approximately 15,000 current customers and 9,000 former customers. The number of accounts compromised was increased by four orders of magnitude from the 10 records HSBC admitted to in December 2009. Though there is no evidence that suggests French authorities' involvement, the data made it into the hands of French officials who were looking into suspected tax evaders.
The HSBC case and the recent hacking attack on Google clearly demonstrate that even huge companies with massive security budgets can end up with breaches. Many people without data security backgrounds may very well feel like Sisyphus as they try to keep their private data secure, but there are some resources for those of us who are not security gurus.
The FTC has a very good interactive tutorial and manual that lays down some good guidelines for businesses that store sensitive information like social security or credit card numbers (though if you store credit card numbers, I hope you are already following PCI data security standards). If your business has employees, then it is a virtual certainty that you have data to be concerned about.
The FTC tutorial talks about the five key issues that need to be addressed in a data security plan:
- Awareness: Make sure that you know what kind of data is being stored. If you know that the only personal data you are storing is social security numbers of employees, you will be able to use that information to help decide what to protect and how closely to guard it.
- Minimize: Keep only the data that is absolutely essential to your business. This is one of the key points in the PCI DSS as well. If you don't have a business need to keep the data, then have a policy stating that such data should not be kept. Hackers can't access information that you haven't stored.
- Secure: Once you know what sensitive data exists in your environment, you can decide on appropriate protection mechanisms. There are dozens of options for encryption for both primary data storage as well as backup media and even some cloud vendors are highlighting security in their offerings.
- Trash it: After you have identified the data that you know you have to keep, proactively look for data that you can reasonably throw away. There are many products that could be used for this purpose, we recently started using one called Identity Finder that can search for Social Security numbers, credit card numbers, bank account numbers, and piles of other personal data.
- Make a plan: It is important to plan for the day when your data is compromised. Hopefully, through careful implementation of the preceding items, you will never need to execute your plan, but it is a good idea to have a plan in place so that you aren't just making your response up after a breach. A good response plan can mean the difference between an embarrassing incident and a PR nightmare.
The people who want to steal your data are out there and have a lot of motivation. Some want to use personal information for identity theft or other fraud, but the hacker could just as well be working at the behest or for the benefit of a government that isn't concerned about privacy rights. You must also remember that there are probably regulatory agencies in your country that mandate an appropriate level of security, so ignoring the issue is a good way to get yourself into trouble. What kind of security issues are you dealing with these days?