Don’t be Stupid with Customer Data
Do you know what your employees are doing with customer data? Do you how they are getting customer data, or where that data is? In an age of data breaches and identity theft, are you doing everything you can to avoid contributing to the problem? More importantly, do you have policies and education in place to make sure your employees are doing everything as well? Could your employees be putting your company at risk by being inadvertently stupid with data?
Chances are, if you have built web sites or applications around your business, you looked into making sure you are securing the data properly. Your developers likely use SSL protocols and other manners of encryption to keep data from being exposed unnecessarily. Your developers tend to take the responsibility of securing data within the systems they are building as a key task. This is great, and this is obviously where most people are paying attention to securing custom data. Most people aren’t being stupid with their sites and apps. Most people…
What, however, are your employees doing in regards to other means of sharing data? What do you do with those forms that customers fill out? Most companies are aware that written forms need to be shredded and thus either shred them in house or hire services to do it. Just as you don’t leave hundred dollar bills sitting on your desk, most people know that you have to secure paper forms that have personal information on them. Rarely would someone toss these in the trash can or leave them on their customer facing counters for anyone to see. For example, a car dealer wouldn't leave the purchase forms for a vehicle sitting on their open cubicle desk because other customers might wander by and see the offer numbers or other personal data. It would be stupid to leave such forms sitting in an open area.
Even so, it is amazing that there are a lot of businesses being stupid in one common area. Some are more stupid than others in what they are doing. That area is email.
What data is being asked of clients and customer via email? If data is shared via email, where are those emails being read? On what devices are the emails being read? What emails servers and systems are being read? If they are going through a free mail service such as Google, are they emails being scanned by the mail provider? Are they on a secured corporate machine, or are they also using their home computer and that smartphone they carry everywhere?
The use of email is critical to businesses, but it is important to know that email is not necessarily secure. Even if email is secure on your company computer, you have to consider whether the employee is getting that email on a personal machine (iPad or smartphone). Those devices aren't always secure as well. You also need to consider whether using other devices means that cached or other copies of the information is being stored. The list of issues goes on.
The result is that you should be very cautious of what you request in email. If you are requesting data that falls into the area of privacy, you should make sure that you are not only encrypting or otherwise securing that data, but that it is also being transmitted securely.
Equally important, you should work with your customers to make sure they don’t step out of the secure box in sending you personalized information. You don’t want to risk being blamed should something happen when that data is sent to you. As a real example, I recently put out a request for a price quote. One of the email responses from a local Indianapolis business included the following:
Also to help speed up the process, most of our Internet Department Customers take advantage of pre-approved financing by answering the five questions below. It will save you a lot of time by making your online shopping more convenient for you. Simply copy and paste the box below into your reply, fill in the information below and then reply to this email and it will come directly to me.
1 FULL NAME: 2 ADDRESS: 3 PHONE NUMBER: 4 DATE of BIRTH: 5 SOCIAL SECURITY NUMBER:
To fill out this form and return it would be irresponsible on my part as a customer, because I would be sending key information via unsecured email across the internet. I would be asking to have my identity stolen. Even though the person requesting this information is telling me this email will go directly to him, that is not really true. It will go from my computer, to my Internet provider (ISP) through a variety of systems on the internet, to the requestor’s internet provider, to their mail server, and then finally to him. There could be any number of redirects and other shifts in the flow while going through the process of getting from my email software to his. Anywhere along that line is the chance, even if slim, for that data to be snooped. If the data includes a number in the format of ###-##-####, there is a better chance that it someone is snooping they will grab a copy of the data because a Social Security number is valuable.
It would be stupid to send this information to the person asking for it. In the case above, this is a local Indianapolis car dealership’s Internet sales person.
But this is even more irresponsible on the part of the business. If your employees were making this request, not only are you putting a client at risk, but you are might be putting yourself in a very liable position. By asking for and accepting this data, there is a level of expectation that you are protecting it. A breach into your mail server or this employee’s system would open you to a serious data breach. From the client’s perspective, a breach anywhere along the path from their computer to yours is likely to be your fault. Simply put, it would be stupid for you to put a client into the position of sending confidential data in this manner. Although it is easy to say your company doesn’t do this, I’m sure the dealership that sent the information above to me would say they don’t do this as well. But, one of their employees did.
It is important for companies to know what data employees are requesting from customers. It is important to know how that information is entering the company and how it is being stored. A plan for making sure that the data is secured is also critical. Even with a plan, it is important to make sure you review the process with your employees. Finally, it is important that you protect your clients and potential clients by not putting them into a position might put them or their data at risk.
Data is a key currency of the future. It is valuable and should be protected. Let’s help our customers avoid flashing this currency around in a way that it could get stolen.
About the Author
Bradley L. Jones (Twitter: @BradleyLJones) is the Director of the Developer.com Network, a division of QuinStreet. He is the founder of the Indianapolis Developers Association (IndyNDA) and co-founder of IndyTechFest, both community organizations in the Indianapolis area. He a bestselling author with over 20 books ranging from C++ to Microsoft Windows. His newest business adventure is the forming a local start-up, Lots of Software, LLC.