There is no denying that businesses need to be more diligent in protecting their customers’ data, but with all the data breaches publicized in the mainstream media, who cares more about privacy? What do you think: businesses or consumers?
Despite the many data breaches, consumers continue to provide their Personally Identifiable Information (PII) to medium size businesses. At the top of the list, this confidential information may include full name (first and last), home address, phone numbers, and email address. Depending on the business, requested information may also include social security number, date of birth, place of birth, gender, passport number, driver’s license number and state, vehicle registration plate, financial transactions, bank accounts, credit card numbers, criminal background, fingerprints, medical history, name of schools attended, and current employer or previous employers.
What is different about protecting PII compared to any other data and how should PII be protected? According to the “Guide to Protecting the Confidentiality of PII” published by the National Institute of Standards and Technology of the U.S. Department of Commerce:
“In many cases, protection of PII is similar to protection of other data and includes protecting the confidentiality, integrity, and availability of the information. Most security controls used for other types of data are also applicable to the protection of PII. For PII, there are several privacy specific safeguards, such as, anonymization, minimization of PII collection, and de-identification. In addition to protection requirements for PII, there are other requirements for the handling of PII. The Fair Information Practices provide best practice guidelines, such as, Purpose Specification, Use Limitation, Accountability, and Data Quality. Moreover, the factors for assigning a confidentiality impact level to PII are different than other types of data. Breaches to the confidentiality of PII harm both the organization and the individual. Harm to individuals should be factored in strongly because of the magnitude of the potential harm, such as identity theft, embarrassment, and denial of benefits.”
But, consider this, many – and some might argue too many – consumers willingly and without much thought to how their PII may be used and stored provide their PII to businesses. What happens every time someone visits a supermarket? Their rewards card gets scanned, and the store IMMEDIATELY knows who they are, where they live, what their phone number is, what their email address is, and most importantly, what they purchased. The same thing happens at gas stations, restaurants, and other brick and mortar venues – as well as online.
Does your business have a rewards or loyalty program? If yes, what PII do you request? Do you explain why you request specific PII? How do you communicate with consumers to let them know you value their privacy and data as much as they do? How often do you communicate with your consumers to update the information and update your review and/or purge of PII?
Answers to these and related questions should be a high priority and involve your entire leadership team. These discussions should not be delegated to the network admins of your IT department because when a breach happens, you, as a member of the leadership team, don’t want to be surprised. You will want to vividly recall all the protocols you put into place, the bullet points and/or press release drafts you wrote, and the key media people you want to reach out to.
Above all, you want your business to be proactive and transparent to consumers. Your decisions will allow your business to be in a better position to survive a breach.
PII definition by Wikipedia:
Guide to Protecting the Confidentiality of PII published by the NIST of U.S. Dept. of Commerce:
“Why Big Companies All Have Loyalty Programs”
“Survey Shows You Don’t Care About Privacy As Much As You Think You Do” by Joshua Steimle (@donloper)
Privacy Rights Clearinghouse – to learn about the latest data breaches:
Image Credit: Supertrooper via FreeDigitalPhotos.net
This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.