Does Your Business Fail the Customer Privacy Test?

online banking buttonI had a recent experience where my privacy was compromised, and based on the inaction by the company, I wonder how many experiences I encounter that are not as obvious.

I visited a local branch of a national financial institution to make a deposit (yes, I still walk into banks every now and then), and after I gave my endorsed check and deposit slip to the teller, he placed them face down into a clear plastic box that was in front of him. The box was in clear view of the customer opposite him (me). If the next customer did not make a deposit, no papers would go into the box to cover my items. Therefore, the next customer would be able to clearly see my endorsed signature AND my account number. Anyone with a good memory could leave the bank with my financial information.

I told the teller that I could see my signature and account number (important elements of my PII, or in other words, my Personally Identifiable Information) and that the next customer would also be able to see them, and the teller shrugged and said, “That’s the way we do things. Go see the manager.” So after my transaction, I found the manager and voiced my concern, and he said, “No one has ever complained before.” Well, I complained and said, do something now. The manager asked the teller to move the box to a different place in his work area, but the next time I visited the branch, the clear box was back in plain view.

Unfortunately, it does not surprise me that there is no widespread concern for privacy, not to mention security. But for a BANK, of all types of businesses to place a customer’s data on display is nearly criminal. I thought to myself, one customer may have his identity stolen and never realize that it was due to the bank’s procedure. But isn’t one person’s identity theft due to negligence even one person too many?

The craziness of this situation is that the solution is simple: either move the plastic box, or make it a solid color on three sides and leave it open facing the teller. At the very least, cover it after every customer interaction.

As anyone who works in the information security industry knows, it always comes down to ease-of-use versus security procedures. The process of creating and implementing security procedures and then training employees on those security procedures takes time, money, and expertise. Many businesses refuse to do any of it.

The branch’s top management could easily have fixed the issue before anything bad happened. What makes this situation scary is that the top management team knows (thanks to my comments), but they don’t care. The chance that someone MIGHT get their data stolen from this behavior may not be astronomical. But it IS possible.

How many complaints must there be before the bank takes any action? Five? Ten? One hundred, or more? Perhaps, there should be a #servicefail campaign on Twitter to get the bank’s corporate office to take notice.

So, as a midsize business, do you care about how your customer data is handled? Do you make sure that ONLY those who are supposed to access it, both internally and externally, can? Based on stories in the mainstream media, too many businesses turn a blind eye toward customer privacy because they think a breach won’t happen to them. Do you regularly check and see if your customer data is safe?

Let’s take this discussion into the online arena. What happens when data is not protected when conducting online banking? The heartbleed virus has made security socket layer (SSL) protection less secure than it used to be. Now, even though users see a small lock in the browser, the credentials (password user name) may still be at risk. Online banking has never been completely safe, and as long as people open email and click on links, there’s always the possibility for credential theft – that’s how a major retailer’s breach started.

If you’re not considering these issues and related solutions on a regular basis, you’re doing both your customers and your business a disservice. Don’t fail the customer privacy test.

Image Credit: Stuart Miles via FreeDigitalPhotos.net

 

IBM
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Advertisements

About Allan Pratt

Technology and cybersecurity professional with focus on tech news, cybersecurity, networking, infrastructure, data protection, consumer electronics, and social media.
This entry was posted in Business Process, Data Security, Online Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s