Security Advisor

Protect Your Customer Data

Joern shows you how to cover your security bases -- and keep your customers happy.

• By Joern Wettern
• 06/01/2007

A few years ago, Oracle Corp. CEO Larry Ellison proclaimed that "privacy...is largely an illusion." These days, that sentiment doesn't go over well with consumers, who are increasingly sensitive about the security of their personal data. Before long, companies that don't take steps to safeguard their customers' data won't have any customers to worry about.

If your business revolves around collecting and maintaining customer data, such as names, e-mail addresses, credit card numbers or any other potentially sensitive data, then safeguarding the privacy of that data is essential to your company's continued existence. Accidental disclosure of data that hasn't been properly safeguarded is a disaster on many different levels -- financial, customer trust and quite possibly legal ramifications.

Most organizations are required by law to inform customers when their personal information is compromised. Consider the cost of not being careful with names, addresses, credit card numbers and other customer data. Research firm Gartner Inc. estimates that an average data breach costs $140 per affected customer. This includes direct costs like legal fees and the cost of notifying customers, as well as indirect costs like losing customers and employee productivity. While the impact on your bottom line may not equal that experienced by The TJX Companies Inc., which recently admitted that data for more than 45 million customers was stolen from their servers, any theft of customer data is bound to be more expensive than you dare to imagine.

Policies Matter
A good starting point for protecting customer data is to establish and enforce a privacy policy. Most people do actually read these policies, which are routinely posted on Web sites. Customers are also becoming increasingly sophisticated about analyzing policies and determining how they will affect the security of their personal data.

A good privacy policy clearly states what types of information you collect, how long you need to keep this data, under what circumstances you may share the data with others and how you safeguard this information. A good policy also describes how your company protects customers, rather than merely justifying overzealous data collection.

A good example of a customer-friendly privacy policy is the one used by ING Direct. The bank clearly lists four principles of data collection and use and then explains what each of these principles mean. ING Direct's policy identifies what data it maintains, the limited conditions under which it will share customer data with third parties and what happens to your data when you're no longer a customer. The policy is easy to understand and demonstrates that the company is concerned with privacy.

Unfortunately, you can also find many examples of meaningless privacy policies. You don't have to search for long to find companies that essentially state that they may use all information they collect as they see fit, including sharing this information with third parties for advertising purposes.

There's a trend to have privacy promises made meaningless by stating that a company reserves the right to change its policy at any time without notifying customers of such changes. Lawyers may advise you to include such a statement in your policy, but you should look for more customer-friendly alternatives. For instance, Amazon.com Inc.'s privacy policy contains a similar provision, but it's supported by a pledge to always protect any data according to the privacy policy in effect when the customer initially supplied the information.

What Do You Need To Know?
As you're evaluating your data collection policies, carefully consider what you really need to know to run your business. This starts with basic demographic information. If you're a software vendor who offers trial software for download, you may require visitors to your Web site to fill out a form before they can initiate the download. Many such forms ask new customers for their name, address, phone number, e-mail address, job role, nature of their business and more.

Some of this information is collected in order to contact the prospective customer. Other times, the reason for collecting it is simply that someone thought it would be nice to know as much about prospective customers as possible. Is it really useful, though, to know someone's address if you don't plan to send them any mail? Does gathering statistics about your Web site visitors outweigh the risk of annoying potential customers who may feel they're being asked to provide too much information?

As you're evaluating what to collect, take a long, hard look at whether you really need the information. Collecting unnecessary information doesn't just annoy customers, it also leads to clutter that can make it much more difficult to safeguard the data.

How Long Do You Need It?
When dealing with your own personal data, there's probably no harm in keeping it around forever. Doing the same for business data can be problematic. Sure, there are good reasons to have a data retention policy. Long-term archiving of certain data can even be a legal requirement in some industries. However, this shouldn't be the default. If you delete data you won't need in the future, you won't have to worry about the consequences if it's compromised.

For example, most businesses have no need to store a credit card number after processing a credit card transaction. Deleting this information from your servers quickly and consistently will spare you the agony of reading in the press that someone stole thousands of credit card numbers from your servers.

Where Should You Keep It?
Most businesses provide their customers with Web forms to enter information about themselves, whether this is an e-mail address or a Social Security number. Just because you need to collect this information with a server that's on the Internet doesn't mean that same server that holds the data should also be accessible from the Internet. Fortunately, most businesses place their database servers on a separate network, so that hackers can't get at them directly.

In many cases, however, the same Web servers used for data entry are used to retrieve information from the database server. This renders isolation to a different network useless. Such bad network design is often the result of taking shortcuts, not paying attention to how data is used or analyzing the value of the data.

Even if you think your databases aren't accessible, they may become so inad-vertently. One of the most common vulnerabilities on Web servers is SQL injection. This type of attack puts a SQL query into a form field instead of the expected data, like an e-mail address.

If your Web application doesn't carefully check that any entered data is not really a SQL command before it's passed on to your database server, you may let a hacker get to any information he wants in your database. The only defense against such attacks is careful Web application design to ensure that all data entered by users is indeed valid.

Can They Take It With Them?
Whenever you're storing customer data, you should be concerned about which employees have access to this data. After all, statistics consistently show that the majority of data theft is performed by insiders. Even if all your employees are trustworthy, it's not uncommon for someone to lose a laptop or removable storage containing confidential data.

Trying to protect against data disclosure by employees exposes an unfortunate dilemma. Employees, such as those in a customer service department, need to have access to the data you maintain to perform their jobs. You also have to ensure that they can't steal this data. There's no absolute protection against data disclosure or data theft by someone who has access to the data, but there are easy methods to mitigate the risk.

If you make sure employees can only view a single customer record at a time, you can at least prevent someone from taking a large number of customer records with them. You can also restrict the use of mobile storage to prevent someone from easily carrying data out the door. You can also purchase software to enforce encryption of all confidential data that is legitimately taken off your premises.

The Simple Things
Preserving your customers' privacy and safeguarding customer data is a complex task. It includes business analysis, Web design, database administration, network access control and much more. This may seem like a daunting task, but you can address many problems by implementing a few of the simple principles described here.

Keep your customers' privacy concerns in mind, store only the data you need, and provide access to customer data only to the extent required to run your business. This creates a foundation for designing secure Web applications and networks. The result will be more secure and easier to manage.