Taking Care When Holding Customer Data

We’re now used to Edward Snowden’s revelations of National Security Agency data spying. His strategy was clever – a slow drip of new information which kept the disclosures on the front pages for many months. It’s sparked considerable debate about privacy and reasonable limits in a “free” society.

Despite the ominous spectre of government surveillance the private use and abuse of data is more disquieting. We’re talking about things like the “with consent” gathering of personal information by companies such as Google, Facebook and even your corner store and the inevitable issues which arise when that information is compromised. The aptly named Target chain was attacked with over a hundred million customer records copied…somewhere.

When huge amounts of data go astray there are bound to be legal consequences. Especially in the litigious U.S. environment we can expect many lawsuits and costs to Target in the millions, if not billions, of dollars. Even if you are not holding millions of records, can your business face similar liability? If so, can it be managed?

First understand how the information can be compromised. In the case of a governmental body like the NSA or Canada’s own spy agencies, there are many methods including secret deals with hardware and software makers to build “back doors” into their products. But even without that cooperation the agencies can utilize “upstream” interception where they simply tap into the internet before the data enters a site. Putting a tap upstream from Google, for instance, would allow the spy to scan every email that goes through Gmail– a staggering number.

Email is almost always plain text so there is no encryption to defeat. Even in cases where traffic flows through SSL (Secure Sockets Lawyer, the most common encryption technique used on the World Wide Web and recognizable with an “https” at the beginning of a URL), it is suspected that spy agencies simply gather up old SSL certificates after they have expired. This allows them to go back and decrypt traffic they collected and stored in the past.

But it seems that Target and similar victims were hit by ordinary criminals infiltrating networks and installing malware on point of sale terminals. Many of these terminals run a variant of Windows known as XP Embedded. Since it is based on Windows there is a large pool of knowledge on how to take advantage of security flaws.

Although businesses hit by these attacks are obviously victims, they cannot play that card to avoid liability. Custodians of personal data, including names, addresses and potentially credit card and banking data must take reasonable steps to protect that data. The extent of that obligation is a moving target. It is also an increasingly higher bar as we learn more about new exploits.

This is mostly opinion, because of the lack of case law, but reasonable care today would probably mean a minimum of encrypting all customer data with strong passwords, keeping all software up to date with the latest patches, restricting the number of people and machines with access and perhaps separating data so that the breach of one pool will not allow identifying information to go into the clear. This is just a partial list but any business that has not audited their computer security is at a higher risk.

It’s also important to remember that the more sensitive the information the higher the standards. Financial or health records are much more private than phone numbers and so will demand higher compliance levels.

It may also be that not keeping any data is the best defence. Although the collection of certain contact information is necessary for ongoing relationships, things like credit card numbers are seldom absolutely necessary. True, it’s a convenience to your customers when you can keep their payment information on file for future purchases. It also helps the business process regular payments. But if you assume not whether you will be hacked but only how soon, you can see the danger in keeping anything that is compromising. Avoid a packrat mentality that says more information is always better.

Every person who suffers identify theft is another customer demanding a higher standard from their suppliers. It will get worse and you don’t want to be the weakest link.

This article originally appeared in Saskatchewan Business magazine and is reprinted with their kind permission