Retailers often use loyalty programs and promotions as essential tools for improving the customer experience, attracting new customers, and maximizing revenues. As part of these programs, customers usually provide a loyalty card, driver’s license, or other sensitive, personal information without a second thought. Until recently, retailers rarely thought about the implications of receiving or holding onto this information from a security standpoint. Here’s a partial list of retailers who had large breaches on personal information in 2014:
Anthem. IRS. eBay. PF. Chang’s. JP Morgan Chase. UPS. Target. Neiman Marcus. Sony. The Home Depot. Goodwill. Dairy Queen.
While each entity above was breached through a variety of methods used by hackers, the common thread was that they all had personal data compromised and misused. The stolen data also included the personal information of company employees.
Carsten Casper, Research Vice President at Gartner, believes that decreasing the storage of sensitive, personal information on IT systems should become a part of strategic planning efforts: “As the amount of personal information increases multifold, individuals and their personal data will increasingly become a security target. And, yet in most scenarios, the organization is still ultimately accountable for the personal data on its IT systems. The time has come to create an exit strategy for the management of personal data. Strategic planning leaders will want to move away from storing and processing personal data in the next five years.”
How can personal information be misused by hackers?
According to Consumer Reports, “Your personal information—everything from your shopping habits to your health history—can be available to criminals. All they need to do is tap into the public and private databases that gather, buy, and sell your vital statistics. When users buy and compile various pieces of information about you, they can paint a very complete picture of your activities.”
Personal records are as or perhaps more valuable to hackers than card data. A case of stolen identity can cause misery to a victim’s life, such as the misuse of medical health information to get illegal access to treatments and medications. For retailers, data security is not just about protecting card data. It includes the overall security of all customer information and employee information, including social security numbers, dates of birth, addresses, billing information, health records, driver’s license numbers, and ethnicity.
What is the best approach to safeguarding personal data?
Businesses need to have one comprehensive and centralized data security solution and an overall security strategy for protecting the personal data of customers and employees. With increasingly sophisticated cyber-attacks, using a mix of technologies for different security functions is no longer an option. Due to constraints in budgets or urgency to meet immediate needs, outdated technologies are too often used in environments that no longer serve their purpose. Corporations and businesses need to implement sensible security policies, the right technologies and train their employees accordingly.
Here are some tips on keeping personal information secure:
- Use social security information only for paying employee taxes. Do not store them anywhere and discontinue the practice immediately.
- Develop written policies for keeping personal records and disposing of that information securely.
- Never save credit card information anywhere; not in emails, pieces of paper, laptops or servers.
- Credit card data scanning helps with scanning emails, systems, and servers to wipe out card data information.
- Keep sensitive information in computer systems only as long as they are needed; if there is no information stored the chances of breaches are less or eliminated.
- Personal information is often unintentionally shared. Refer to written policies paying attention to what is being shared.
- Pay attention to privacy-rights notices from banks and other financial companies.
- Follow Payment Card Industry Data Security Standards (PCI DSS) for
- assessing vulnerabilities in your network
- storing sensitive customer data on any device with an internet connection
- encrypting sensitive data
- use of passwords and remote logging into systems
- running patches
- running updated anti-virus and anti-malware
- updating applications
- securing information in transit by use of a Transport Layer Security (TLS)
- proper configuration of firewalls and routers
- use of wireless intrusion prevention systems
- security awareness training
- security practices for use of contractors and service providers
Organizations that collect sensitive, personal information are ultimately accountable for this data and must take the necessary actions to keep their IT systems secure. For more information on securing personal information and other data security best practices, call Omega at 636-557-7777 or get in touch with us here.