Data privacy: more than a bullet point on a board slide

This post was originally published here by casey pechan.

With all the big breaches in the news last year and GDPR right around the corner, data privacy has maybe never had as much attention from the public as it has right now. Everyone is quite obviously concerned about their own privacy, but it’s a little bit harder to care about someone else’s privacy. Just as it’s a little bit harder to care about someone else’s anything.

So the question is, are these breaches also making employees across your company more aware and concerned about customer privacy?  Truth is, your internal culture around data privacy should already be so strong that neither your employees or customers have the choice of whether or not to care. But that isn’t always the case.

So if your data privacy culture does need a quick check-up, consider the following:

Is the information you’re collecting about a human being?

Then it should be protected! Their name, their email address, their hair color, their social security number, their credit card, it doesn’t matter. When someone tells you something about themselves, you can never be too cavalier about how you treat that data. Not once has anyone provided information to a company while thinking, “Please share this with everyone in the world. I’d love that!”

How does your technology interact with that info?

When Amazon’s Alexa is in a room, it listens to everything said in that room. It couldn’t fully function otherwise. That wouldn’t be a big deal if Alexa was just a fancy Roomba that talked while it vacuumed. But Alexa is much more than a vacuum (while also being much less in that is incapable of helping with household chores). Over time, people inadvertently tell their Alexa speaker virtually everything about themselves. That means Amazon has stringent rules and protections in place to ensure their data can’t be exploited..

It’s highly unlikely your product installs a cloud microphone directly in customers’ living rooms. But what does it touch? You probably don’t leave full credit card numbers lying around in plain text (if you do, please get on fixing that), but are you collecting any information you haven’t yet fully thought through protecting, like say, having a phone app that reports on a customer’s location and that could be used to reconstruct their daily travel? Anything you know about a customer’s personal life should be locked up.

What are you doing about it?

Maybe your servers are carefully scanned and monitored, and you’re confident that no attacker will ever have the chance to get through. Great! Now consider that virtually every company has some sort of admin panel where customer accounts and information can be accessed. (This is understandably necessary in order to provide basic services to customers.) Who has access to this panel? Why do they need it? Are there different levels of access so that a tech support agent sees a different view than a member of the office staff and a tech support manager sees a different view than both of them?

What specific steps are you taking to secure customer information internally? The more touch points there are to customer data, the easier it is for an attacker to find their way in to grab that data.

Do all employees understand how important this is?

How enthusiastic is the company about privacy across the board? Do departments like marketing understand and even enthusiastically embrace implementing new consumer standards like GDPR?

What is the step-by-step process employees take when they encounter or suspect a breach? Are they actually empowered to do anything at all? Any employee who notices a potential data privacy issue or breach should be able to report this (whether it’s via email or Jira or some other method) to a department that can review and potentially take action with that info. Requiring an employee to go through a manager or other gatekeeper brings an added layer of potential inaction.

If there is a process, is it part of training? Do managers discuss it with employees on a regular basis? If you don’t keep it front of mind for employees, then they’ll keep other things front of mind instead.

How are you helping customers?

Customers quite obviously want to protect their own privacy, but are almost always going to take the path of least resistance when registering for an account or making a purchase. No one ever wants to jump through hoops to do anything.

Do you give customers a choice as to whether or not they want to activate two-factor authentication? Do you force customers to create strong, but also memorable passwords (like random word passphrases)?

Do you limit number of login attempts over a set period of time? If a customer’s account is breached by brute force because their password wasn’t very strong, you are still to blame.

Respecting each others privacy is a basic life skill we learned in kindergarten.  Everyone and every company is responsible for protecting each other.  Make sure you and yours are safe and secure.


No posts to display