If You Collect It, You Must Protect It – Tips on Collecting, Storing, and Securing Data
As more and more major data breaches are announced, it’s not surprising that consumers are left wondering “how does this keep happening?” Which is a fair question. But businesses like yours should be asking a more important question: what exactly am I doing to protect consumers’ personally identifiable information from data leaks, breaches, and unauthorized use/access? As we’ve learned from other major data breaches, the immediate damage of those attacks, on the surface, appears to be strictly monetary; however, there are much larger, long-lasting effects which can wreak additional havoc on businesses. According to IBM Security’s 2020 Cost of a Data Breach Report, lost business costs accounted for nearly 40% of the average total cost of a data breach, increasing from $1.42 million in 2019 to $1.52 million in 2020. The report highlights that “lost business costs included increased customer turnover, lost revenue due to system downtime, and the increasing cost of acquiring new business due to diminished reputation.”
At Generali Global Assistance (GGA), we believe it’s important that organizations only ask for and collect the data that’s essential to run the business – and exclude the data that is just “nice to have.” The more data you collect, the bigger your responsibility to protect it from being exposed to the wrong people – hackers and unauthorized employees.
Since today is Data Privacy Day, now is the perfect time to share a few key steps your company can take to better protect your customers’ data from getting into the wrong hands.
Take Inventory of Existing Data
Before collecting any additional data, it’s extremely important to take stock of what data you already have on file, be it digital files on employees’ laptops/computers, flash drives, mobile devices, or hard documents in cabinet filing drawers. Additionally, take a moment to map out how your company receives consumer data (i.e. company website, third-party vendors, social media, etc.), as well as how it is stored. As we’ve come to learn, different types of data present varying types of risks, so how your business collects and stores consumers’ sensitive information like their Social Security number, mailing address, personal telephone number, and the like, is critical to the success of this process.
To begin, create a secure living spreadsheet or document with columns for each area of interest:
- The types of data currently being collected
- Where each piece of data is stored
- Who has access to that particular piece of data (list of all employees, vendors, etc.)
- Who manages and owns that data
- Where the data is being used
- How the data is being protected (i.e. on the cloud, third-party vendor, secure server)
As you go through this process, it’s important to highlight and take note of the areas where security can be strengthened, as well as the areas where un-utilized data is being collected. This will help organize your findings in advance of the next few steps outlined below.
Secure and/or Discard Personally Identifiable Data
After you’ve finished taking inventory, the next step in this process is simple: Keep what you need, discard what you don’t. One man’s trash is another man’s treasure, so make sure the unused data is properly disposed and cannot be accessed again by following a few key steps:
- Shred all unnecessary paper records before discarding it, and make sure there are securely locked shredders available and easily located throughout your office. After the documents have been shredded, consider using a service to discard all shredded documents.
- Use a utility wipe program to securely erase all data from old/unused computers and laptops.
- Confirm if the data you’re looking to dispose of is a customer’s credit report. If it is, you may be subject to the FTC’s Disposal Rule.
For the data you’ve determined will be kept, create the proper procedures and protocols to safely and adequately secure it from all unauthorized access/exposure.
- Store all paper documents in a locked room or in a locked file cabinet, and limit employee access to only those who absolutely have a legitimate business need.
- Regularly run anti-malware on all business computers, and make sure the anti-malware software is up-to-date.
- Identify all devices where sensitive data is stored and assess each device’s vulnerabilities to known cyber-attacks.
Whether your business stores sensitive data physically (paper documents, thumb drives, hard drive backups) or digitally (on the cloud, private digital network, computer, etc.), it’s important to consider all the ways someone could potentially access that data, and what the ramifications would be if that data was exposed. There’s a lot someone with ill intentions can do with just your customer’s cell phone number, so be sure that every piece of data that is being collected has the appropriate security measures in place to protect it from bad actors.
Create a Plan to Store and Secure Collected Data
Once you’ve determined the data you want to keep versus the data that needs to be discarded, the next step is to create a clear and detailed plan of action around data security measures moving forward. This plan should address items such as:
- New sources of data (i.e. new software, vendors, web forms, etc.)
- Employee education on known fraud attacks such as phishing, malware, and robocalls – especially while most employees are still working remotely
- What to do in case of a data breach/leak
- The types of data your business has decided not to ever collect
Create a plan that is not only manageable, but one that addresses current and future cybersecurity and identity theft concerns.
Be Transparent in the Marketplace
At GGA, we believe in being transparent with our clients and customers about how we’re storing and protecting their data. For a more in-depth take on how to protect your customer’s data, check out the FTC’s detailed guide on protecting consumers’ personal information. And if you’re interested in learning how GGA can help protect your customers from identity theft and fraud, contact us today.