Data breaches have become an everyday reality for many organizations, whose customers feel the effects of identity theft and other fraudulent activities.
Business operations require the exchange of customer information, but companies that take customer data security seriously can build trust between themselves and their customers. For organizations to protect customer data, they must maintain compliance and invest in technologies that boost security to benefit their operations and customer relationships.
What kind of customer information must be secured?
As companies prepare to protect customer information, they should prioritize the following types.
Personally identifiable information. PII refers to information that can distinguish or trace a person’s identity by itself or with other personal or identifying information linked to that individual.
Personal information. PI can directly or indirectly identify, relate to or describe a person or household. PI is relatively broad and can include data associated with someone’s identity, often overlapping with PII.
Sensitive personal information. SPI came into the privacy lexicon under the California Privacy Rights Act — an amendment to CCPA. SPI covers personal data that does not directly identify an individual but may cause harm if made public. It also protects minors and their PI.
Nonpublic personal information. NPI is a type of sensitive information that the Gramm-Leach-Bliley Act introduced. It specifically regulates financial services institutions and includes information that institutions obtain directly from customers or through transactions. NPI does not include publicly available information.
Policies and regulations for data protection
The two most well-known customer data protection policies are GDPR and CCPA. In addition, at least 25 states have data protection laws related to privately and publicly owned companies.
General Data Protection Regulation. GDPR sets guidelines for businesses that collect and process personal information from individuals who live in the European Union. GDPR applies regardless of where websites are based, meaning all sites that attract European visitors must follow these guidelines, even if they don’t specifically market goods or services to EU residents.
California Consumer Privacy Act. CCPA became law on January 1, 2020, and is the U.S.’s strictest data privacy regulation for consumer rights. It aims to protect California-based consumers’ rights related to how businesses collect, use, store and sell personal data — primarily PII.
To protect customer data, organizations can take the following steps:
- Collect only data vital to do business with customers.
- Limit who can access customer data.
- Boost cybersecurity and control access through password management tools.
- Implement a strong data management strategy and store data in a centralized location.
- Set minimum security standards with which the organization complies. For example, any tool must comply with either ISO 27001 or SOC 2.
Technology to protect data
Before organizations invest in security technologies, they should determine if they already have internal safeguards in place to protect data. Those safeguards may include the following:
- CRM tools, which can maintain customer data in a centralized location. CRM platforms can account for where data resides and avoid storing data in multiple areas.
- Two-factor authentication (2FA), which requires customers to use short-term passwords or codes — ranging from minutes to a few days — in conjunction with long-term passwords. 2FA can cut down on breaches associated with compromised passwords.
Beyond CRM tools and 2FA, organizations should look into encryption, integrated malware protection and blockchain to protect customer data.
Encryption. Encryption is a common way to protect customer data from bad actors, and organizations have different types of encryption they can choose among.
- File-level encryption, which can protect data in transit and make it harder for hackers to access cloud-based software or resources. Providers include McAfee and Microsoft. Organizations with on-premises hardware should use a disk encryption offering, such as Apple FileVault 2.
- Advanced Encryption Standard-256, which uses a 256-bit key to encrypt and decrypt data. Many experts consider it a gold standard for block ciphers. Providers include IBM and Microsoft.
- Portable mode encryption, which is a type of file-level encryption. Some employees use devices like key fobs and USBs to store files, which can cause organizations to struggle to enforce security protocols on them. Portable mode protects against breaches in case a USB or portable hard drive is lost or stolen. Providers include TruPax and EasyLock.
Integrated malware protection. Cybercriminals can steal data without a user’s knowledge. Malware protection — also known as antivirus protection — acts as a firewall that organizations can integrate with existing software for additional security on devices. Providers include Bitdefender and McAfee.
Blockchain technology. Blockchain lets customers take ownership of their data without permissions, checks and authorizations. Further, blockchain is known for its innovative ability to store data across a series of networks without needing a central location. Providers include IBM, Microsoft and Accubits.