Customer data protection: how to eliminate risks of loss or exposure

Companies increasingly depend on customer’s information to operate and grow their business. Mobile devices, outsourcing services and cloud solutions brought new and impactful security challenges. We all agree that sensitive data exposure is unacceptable and actions must be taken – from the information entry point to the moment that it is archived or even destroyed. But identifying and addressing potential data breaches can be difficult. What critical information is exposed to threats? Which threats represent the greatest risk? What regulations have to be addressed and how to ensure customer data protection?

As organizations answer these questions, they gain insight and visibility into their current risks and can begin to manage them in a proactive, coordinated and holistic approach. It is much more than an IT problem; it’s a real core business initiative. And it affects companies of all shapes and sizes!

According to Samir Kapuria, Senior Director, Enterprise Security Practice at Symantec, cyber criminals are not the only threat to information security. «Organizations and companies must also protect against the threat from insiders, whether from well-meaning employees who inadvertently put data at risk or from malicious ones, who intentionally expose critical information».

Organizations must not only understand their exposure to internal and external data breaches, but also be able to measure current data loss risk across networks, web/mobile applications, and many others. A data security breach can happen for a number of reasons, including:

  • Loss or theft of documents or equipment on which data is stored (including break-in to an organization’s premises);
  • Inappropriate access controls allowing unauthorized use;
  • Equipment failure;
  • Human error;
  • Unforeseen circumstances such as a flood or fire;
  • Hacking attack;
  • Access where information is obtained by deceiving the organization that holds it.

While organizations may acknowledge the need for customer data protection, the complexity of their environment often undermines their best security efforts. Limited budgets and uncontrolled outsourced teams often result in misaligned objectives, incomplete security activities, and holes in data protection and security.

Best practices for customer data protection

Organizations must review and prioritize their critical information and data assets, and identify how that sensitive information is being used across the business.

An AIIM research found that 26% of organizations have already suffered loss or exposure of customer data, and 18% lost employee data. As a consequence, 10% received action or fines from the regulator, 25% saw a disruption to business and 18% a loss of customer trust. This is unacceptable and preventable. The question is: How?

An ideal data protection policy should incorporate all the procedures required to protect any personal asset, ensuring:

  • Confidentiality
    • By protecting information from unauthorized access and disclosure.
  • Integrity
    • By safeguarding the accuracy and completeness of information and preventing its unauthorized amendment or deletion.
  • Availability
    • By guaranteeing that information and associated services are securely available to authorized users, whenever and wherever required.

Customer data protection as a holistic and corporate-wide approach, from start to finish:

customer data protection corporate wide

Follow these guidelines to really ensure customer data protection and compliance:

  1. Have a document management solution with embedded security and compliance (it eliminates all possibilities of noncompliance by user action) – starting at the point of origination (data capture) and throughout the whole process (data integration).
  2. Give users the confidence that what they are doing is safe by implementing security keys, two steps authentication, tokens, and encryption.
  3. Mitigate data breaches by segregating document types for adequate records management. Classify and define at the entry point what kind of information is considered personal and when it will expire/be destroyed (retention schedules according to existing regulations). This way, when information flows into the final database/core systems, it already has a classification of private data and the retention rules around it, as well as what information is related to each IDs. This makes it infinitely less exposed to data breaches, hacker attacks, insider threats, and thefts.
  4. Securely store customer’s data and make it easily and securely searchable/accessible.
  5. Implement a Business Continuity Plan/Disaster Recovery Plan to ensure that you don’t lose customer data, if there’s any accident.

Too much or too complex? Don’t worry! By choosing a Data Extraction-as-a-Service model, all of them are guaranteed. You pay a fee per document, and that’s it!

Complying with existing regulations

If you operate in a regulated environment, besides all the reasons cited above to protect your customer’s data, you must also do it to comply with existing norms. If not, you may be subject to high penalties or even excluded from the market.

We invite you to check DLA Piper’s free Data Protection Laws of the World Handbook, covering over 70 jurisdictions. You can download the full pdf or search your country of interest in the online format.

We highlight some of them:

  • European Union New General Data Protection Regulation harmonizes the current data protection laws in place across the EU member states. The fact that it is a “regulation” instead of a “directive” means it will be directly applicable to all EU member states without a need for national implementing legislation. The objective of this new set of rules is to give citizens back control over of their personal data and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritized. The reform allows European citizens and businesses to fully benefit from the digital economy.
  • Law nº 67/98 defines Portuguese Data Protection Law.
  • Portuguese SEGNAC 4 includes the standards for national security, safeguarding, and protection of classified information, computer security.
  • Electronic Signature in Global and National Commerce Act (ESIGN) is the United States federal law to facilitate the use of electronic records and electronic signatures in interstate and foreign commerce by ensuring the validity and legal effect of contracts entered into electronically.
  • Gramm-Leach-Bliley Act (GLBA) requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
  • UK Data Protection Act controls how your personal information is used by organizations, businesses or the government.
  • POPI Act is South Africa Protection of Personal Information Act

To-dos:
– Check your company’s data protection policy and compliance.
Count on us for your document management projects and keep your company’s and your customer’s information assets secure, protected and compliant.
Subscribe to our blog to receive valuable insights about document management and paper-free processes.
Download the Free Industry Watch Report by AIIM and Papersoft “Paper-free progress: measuring outcomes” and see how paper-free is improving productivity, accessibility and compliance, the progress you’ve made and how your organization compares to others.

Paper-free progress: measuring outcomes