Data breaches have become an everyday reality for many organizations, whose customers feel the effects of identity theft and other fraudulent activities.
Business operations require the exchange of customer information, but companies that take customer data security seriously can build trust between themselves and their customers. To protect customer data, organizations must maintain compliance and invest in technologies that boost security to benefit their operations and customer relationships.
What kind of customer information must be secured?
As companies prepare their data security policies, they should prioritize protecting the following types of customer information:
- Personally identifiable information (PII). PII refers to information that can distinguish or trace a person's identity by itself or with other personal or identifying information linked to that individual.
- Personal information (PI). PI can directly or indirectly identify, relate to or describe a person or household. PI is relatively broad and can include data associated with someone's identity, often overlapping with PII.
- Sensitive personal information (SPI). SPI came into the privacy lexicon under the California Privacy Rights Act -- an amendment to CCPA. SPI covers personal data that does not directly identify an individual but may cause harm if made public. It also protects minors and their PI.
- Nonpublic personal information (NPI). NPI is a type of sensitive information that the Gramm-Leach-Bliley Act introduced. It specifically regulates financial services institutions and includes information they obtain directly from customers or through transactions. NPI does not include publicly available information.
Policies and regulations for data protection
The two most well-known customer data protection policies are GDPR and CCPA. In addition, at least 25 states have data protection laws related to privately and publicly owned companies.
General Data Protection Regulation
GDPR sets guidelines for businesses that collect and process personal information from individuals who live in the European Union. GDPR applies regardless of where websites are based, meaning all sites that attract European visitors must follow these guidelines, even if they don't specifically market goods or services to EU residents.
California Consumer Privacy Act
CCPA became law on Jan. 1, 2020, and is the United States' strictest data privacy regulation for consumer rights. It aims to protect California-based consumers' rights related to how businesses collect, use, store and sell personal data -- primarily PII.
To protect customer data, organizations can take the following steps:
- Collect only data vital to doing business with customers.
- Limit who can access customer data.
- Boost cybersecurity and control access through password management tools.
- Implement a strong data management strategy, and store data in a centralized location.
- Set minimum security standards with which the organization complies. For example, any tool must comply with either ISO 27001 or System and Organization Control 2.
Technology to protect customer data
Before organizations invest in security technologies, they should determine if they already have internal safeguards to protect data. Those safeguards may include the following:
- CRM tools can maintain customer data in a centralized location. CRM platforms can account for where data resides and avoid storing data in multiple areas.
- Two-factor authentication (2FA) requires customers to use short-term passwords or codes -- ranging from minutes to a few days -- in conjunction with long-term passwords. 2FA can cut down on breaches associated with compromised passwords.
Beyond CRM tools and 2FA, organizations should look into encryption, integrated malware protection and blockchain to protect customer data.
Encryption is a common way to protect customer data from bad actors, and organizations have different types of encryption they can choose from:
- File-level encryption can protect data in transit and make it harder for hackers to access cloud-based software or resources. Providers include McAfee and Microsoft. Organizations with on-premises hardware should use a disk encryption offering, such as Apple FileVault 2.
- Advanced Encryption Standard-256 uses a 256-bit key to encrypt and decrypt data. Many experts consider it a gold standard for block ciphers. Providers include IBM and Microsoft.
- Portable mode encryption is a type of file-level encryption. Some employees use devices like key fobs and USB drives to store files, which can cause organizations to struggle to enforce security protocols on them. Portable mode protects against breaches in case a USB or portable hard drive is lost or stolen. Providers include TruPax and Kaspersky.
Integrated malware protection
Cybercriminals can steal data without a user's knowledge. Malware protection -- also known as antivirus protection -- acts as a firewall that organizations can integrate with existing software for additional device security. Providers include Bitdefender and McAfee.
Blockchain lets customers take ownership of their data without permissions, checks and authorizations. Further, blockchain is known for its ability to store data across a series of networks without needing a central location. Providers include IBM, Microsoft and Accubits.