To have and to hold
- Josh Mehlman
- 23 June 2009
In November 2007, the United Kingdom government was embarrassed internationally when data CDs containing the names, addresses, dates of birth and bank account details of 25 million citizens were lost in the post.
Smaller businesses may never keep such sensitive information, but they still face potential embarrassment, loss of customers, business disruption and reduced sales if they fail to adequately protect the customer data they hold.
“All businesses have a degree of consciousness around the information they hold on their customers and the importance of keeping it protected,” says Steve Martin, manager of the mid-market sector in the Pacific region for security software firm Symantec. “A lot of small businesses know of the problem, but I’m not convinced they’re acting proactively to put the measures in place to prevent data loss.
“There are two aspects to this: protecting the information you hold from breach and protecting vital information so you can continue to run your business if you suffer a data loss.”
Many ways to lose data
Most small businesses probably haven’t considered the wide range of ways in which their customer data might be lost or inadvertently exposed to the outside world. While most people think of shadowy, criminal hackers as the number-one threat, far more businesses lose data as the result of a hard drive failure or software bug, according to research by Rubicon Consulting.
“You need to make sure your technology has a security in-depth approach to protect against threats from outside,” says Martin.
“If you lose a laptop, even if the person who steals it doesn’t use it, you’ve lost a lot of critical information.
“I saw one example of a pest control company that had a fire in their office. Because they didn’t back up their data, they had no records of their bookings for the next month.”
In most cases, data leaks or loss are not the result of malice, but mistakes in business processes, according to Ian Farquhar, senior technology consultant at data security specialist RSA.
“Often data loss occurs when people use it in ways that no one anticipated,” he says. “Say you are a corporation that holds customers’ credit card numbers. Maybe you run a promotion where certain credit card holders win a prize. The marketing person who runs that promotion might get that list and email it out of the organisation or put it on a USB key without stripping out the credit card numbers first.”
Even productivity tools, such as the auto-prompt feature in most email clients, can lead to trouble.
“On numerous occasions we’ve seen someone, instead of sending an internal email, send it to a similar-sounding person externally,” says Martin. “This can cause quite a degree of embarrassment and in some cases legal exposure.”
Complex web of obligations
Companies in Australia operate under a complex web of legislation that governs what data they must keep and the precautions they have to take with the customer details in their care.
“Depending on the type of data stored, there are obligations at federal and state or territory level,” says Michael Park, senior associate at law firm Deacons. “There are special rules for information such as health and financial records.”
The Federal Privacy Act sets out 10 National Privacy Principles. Principle four deals with data security. It says, “... an organisation must take reasonable steps to protect the personal information it holds from misuse and loss, and from unauthorised access, modification or disclosure.”
Because of their size, most Nett readers are exempt from this legal requirement.
“An organisation with an annual turnover of less then A$3 million does not have to comply with the National Privacy Principles,” says Park. “However, smaller organisations are very keen from a public and customer relations point of view to show that they take privacy seriously. More often than not they would prefer to say that they’re compliant.
“The Act is not prescriptive in a technological or process sense, but the Privacy Commissioner has issued some guidelines and information sheets at privacy.gov.au.”
In August 2008, the Australian Law Reform Commission published a report recommending a broad range of changes to the Privacy Act. One of the recommendations was to require companies to tell their customers if, as a result of a security breach, their personal data had been revealed to outsiders.
“We’re not sure what the exact form the legislation will take, but it’s likely to use a ‘real risk of serious harm’ test,” says Park. “That means if there has been a data breach and there is a real risk of serious harm to the customer as a result, the company is obligated to disclose this to the customer.”
Preventative steps
Many small businesses lack the technical expertise to identify the wide range of obligations, potential exposures and preventative measures.
“Engage a trusted advisor, most likely an IT consultant, that understands the complexities and can provide the right advice and tools,” says Martin. “IT security needs to cover all aspects from servers to PDAs and laptops. It’s no use putting a padlock on the front door if your windows are left open.”
Security can be as much about doing things the right way as having the appropriate technologies.
“Look at your physical security: keys, alarms and access control measures,” says Park. “With computer security, make sure you have access control for authorised users. Check a caller’s identity before giving out personal information over the phone. Look at personnel security, too – you need policies around who can access particular types of information.”
One often-neglected area is what happens to computers after you’re finished with them.
“Something like 40% of computers sold on eBay still have personal or corporate data on them,” says Shane Mulholland, managing director of computer recycling and refurbishing company Greenbox. “The most effective way to prevent this data escaping is to take the hard drives out of the machine and physically destroy them by drilling holes in the plates.
“There are software products available that can completely overwrite the disks, removing all traces of information. It has the same effect, but also allows the device to be refurbished and re-used. Re-using a computer is 20 times better for the environment than recycling it.”
Only keep what you need
Because data storage has become fast and cheap, companies keep a lot more information than they used to in the past. There are clear and detailed legal obligations about what data – such as financial records – you must keep and for how long.
Beyond that point, “don’t keep data unless you need to”, says Park. “With the additional storage and retention of information comes the legal obligations around storing it and disclosing it to others.”
For example, any company that keeps customers’ credit card numbers must comply with the Payment Card Industry Data Security Standards (PCI DSS), an onerous set of requirements for most small companies. As a result, many SMEs prefer to use a payment gateway for credit card transactions and avoid holding this sensitive data.
“Organisations need to carefully consider at the outset what information they should be collecting from their customers,” says Park. #
