The dangers of dealing with customer data

As a growing number of organisations will ruefully attest, the protection of customer data in an age of massive electronic storage capacity is turning into one of the most pressing issues of the day.

This is particularly true in UK and Europe where the law is tougher than in the USA, particularly on the unauthorised use of customer data. Several high-profile cases are under investigation within Europe including one on how Apple gathers and applies customer information.

What’s changed the game is the sheer volume of customer data held by organisations. “Changes in the use of technology and the reliance on digital, rather than paper-based systems, mean that if the right controls and procedures aren’t in place, it’s easier to lose large quantities of aggregated data,” explains Vicki Saward, head of government practice at BAE Systems Detica (which has just signed a substantial contract with the Ministry of Justice). “The consequential loss is now greater as a result.”

Misuse matters

As well as loss of such data, its misuse is also high on regulators’ agenda. In September, four telecommunications companies - UPC, Vodafone, O2 and Eircom - were fined a combined €15,000 in Ireland on charges related to the making of unsolicited marketing phone calls and sending unsolicited marketing messages, all using customer information. All four pleaded guilty.

Punishment for breaches is likely to get more severe too, if the UK Information Commissioner has his way. Referring to a case in which an ex-Barclays Bank employee was fined for ‘blagging’ (unlawfully accessing) the records of a woman whom her husband had sexually attacked, the IOC’s Christopher Graham, said in September: “It beggars belief that - in an age where our personal information is being stored and accessed by more organisations than ever - the penalties for seriously abusing the system still do not include the possibility of a prison sentence, even in the most serious cases.”

The ubiquity of online records has pushed responsibility deeper into organisations of all kinds, as Sir Edmund Burton pointed out in his 2008 report into the Ministry of Defence’s loss of vital data. “There seems to be a lack of awareness that in the information age the behaviour of each individual is a significant factor in the risks faced by the parent organisation.” This new vulnerability is applied right across the spectrum - central and local government, the private sector, universities and schools.

Customers care

But it’s not all about electronic storage. Sensitive paper documents are routinely mislaid too, like the nine case files on the welfare of young people recently inadvertently left in a filing cabinet in the office of the Scottish Children’s Reporter Administration. Sold on to a second-hand shop as part of an office refurbishment, they were only retrieved by the buyer.

In general, regulators and customers alike are taking a firmer line. As specialist in customer protection and partner in KPMG’s information protection and business resilience department Stephen Bonner says: “There are great commercial benefits in having volumes of customer information but with that comes a commensurate responsibility in protecting it. We’re facing a perfect storm where customers really care about what happens to data affecting them.”

Because the public has become more alert to breaches, data protection has become a selling point. “Banks are highlighting their enhanced security measures and pushing customer’s peace of mind as a competitive differentiator,” adds Saward. “As more and more services are brought online across all sectors, we’d expect this trend to be echoed in other industries too.”

Here are 12 ways of ensuring your company protects customer data:

1 Think big but start small

Improving data protection should be evolutionary rather than revolutionary process, says Saward. “The organisation doesn’t have to be turned upside down.”

2 Track changes

As changes are made step by step, track the financial and non-financial benefits.

3 Use the trash

Keep only data needed for a specific purpose, keep it up to date and dispose of it when no longer needed.

4 Communicate the consequences

Make sure employees are aware of the value of the data at their disposal. Risk consultants say most employees will take responsibility if put fully in the picture.

5 Have no fear

Encourage employees to immediately bring loss of data - or near misses - to line managers’ notice without fear of retribution. “Near misses are very instructive,” Bonner explains.

6 Remember the hard copy

Don’t ignore old-fashioned paper documents. They are often left lying around.

7 Prioritise

Some data is more sensitive than others and should be prioritised for protection according to the risk it poses to firm and customer.

8 Run regular audits, including informal ones

One firm checked desks after staff had departed for the day and left coloured balloons on the compliant ones. Another put posters in toilets reminding staff of the importance of respecting customers’ privacy.

9 Understand the data flow

Suppliers and other third parties should be in the loop and their responsibilities written into contracts. One firm successfully included a supplier in its own internal data protection campaign.

10 Make sure sensitive data is encrypted

Regulators will take a dim view if unencrypted information is lost.

11 Take care

Grade and protect customer information according to its importance. “Protect the data that’s of highest value,” Saward suggests.

12 Be transparent

Above all, don’t attempt to cover up loss of data. When the breach eventually reaches the light of day, as it will, the inevitable loss of customer confidence will cost dearly.