7 Steps to Protecting Your Customer’s Personal Data
By | December 2, 2013
Mary M. Collins
“Big data” is becoming increasingly important to the industry. Cable programming networks and MSOs can use this information to fine tune marketing efforts and tailor sales offers to the interests of their customers. Advertisers are also placing a greater emphasis on a media provider’s ability to direct their marketing messages to the right viewers at the right time and, thanks to TV Everywhere, even at the right place.
But while the term big data describes the sheer volume of information being collected, analyzed and applied for these purposes, what makes those bits of information valuable is what they tell about personalized behaviors. With a number of consumer protection rules governing that personal data, it is becoming increasingly important for those who gather data to ensure that the customer information collected and stored doesn’t make them vulnerable to costly legal exposures. Nancy Libin and David Oxenford, partners at the Wilkinson Barker Knauer law firm, recommend a series of careful measures as protection.
As they observed in an article appearing in the September/October issue of The Financial Manager (“TFM”), MFM’s member magazine, “Like all businesses, media companies have a responsibility to protect the personal information they collect and maintain. Personal data is extremely valuable to identity thieves, and with data breaches on the rise, it is increasingly important that companies implement procedures to prevent, detect and mitigate data-security threats.”
Libin and Oxenford point out that 47 states and the Federal Trade Commission (FTC) have strict rules governing consumer privacy. In fact, the FTC has brought charges against companies that allegedly failed to implement reasonable security measures; some companies have paid fines of as much as $10 million (or more) to settle claims arising from a breach.
With authority stemming from a law prohibiting companies from engaging in “unfair or deceptive practices,” the FTC can and has alleged violations of the “deceptive” nature simply when companies fail to follow their own security policies.
In cases where there were breaches and the company hadn’t made claims about data security, the agency used “unfairness,” citing practices that, when taken together “failed to provide reasonable and appropriate security for personal information.” Among these practices were things as “failure to adequately assess the vulnerability of the computer network to commonly known or reasonably foreseeable attacks; ignoring the need to implement simple, low-cost and readily available defenses to such attacks; storing the information in an unencrypted form that could be accessed easily by using a commonly known user ID and password, and not employing sufficient measures to detect unauthorized access.”
So, how do breaches typically occur? The attorneys cite Verizon’s 2013 Data Breach Investigations Report, which found that 52% of data breaches involved hacking into a company’s system by using stolen credentials or brute force. In cases where a network was infiltrated, malware (or spyware) was involved in 40% of the cases and social tactics, such as phishing scams targeting employees, were used in nearly 30% of the security breaches.
To reduce your company’s risk of a data breach and/or being charged by the FTC, Libin and Oxenford recommend taking the following steps:
1. Designate a chief privacy officer (CPO) who is responsible for developing and implementing a data privacy and security program and identifying associated risks.
2. Deploy security defenses that improve data security, such as replacing the default passwords that come with equipment and software the company purchases, requiring employees to have a valid business purpose before accessing sensitive personal information, and only accessing the information from secure computers and devices.
3. Hire a chief information security officer (CISO) to implement the technical aspects of a data-security program. These measures include requiring strong passwords; encrypting information; instituting robust authentication controls; making sure all WiFi networks are password-protected and educating employees about phishing attacks and other signs of malicious activity.
4. Regularly back-up important files on servers and/or with secure cloud services.
5. Include data-security requirements in contracts with third party providers to ensure that they implement sufficient data-security protection practices.
6. Develop a response plan so that the company is ready to act quickly to identify and mitigate the harm of a data breach. Use a risk-assessment matrix to determine data loss and risk of harm to individuals and identify when it’s appropriate to notify consumers, regulators, state attorneys general or consumer protection agencies.
7. Regularly review and revise the company’s data collection and use policies.
As the experts note, the ounce of prevention involved in implementing these “rules of the road” may save companies many pounds of hurt down the road. With the growing demand for “big data” applications that rely on customers’ personal information, we all have a ton of reasons to consider their advice. I hope these recommendations – and the reasons behind them – serve as a starting point for evaluating the current state of data security precautions at your organization.
(Mary M. Collins is president and CEO of the Media Financial Management Association and its BCCA subsidiary. She can be reached at [email protected].)
