Ensuring the security of customer personal data is crucial in the current digital environment. It is not just a legal requirement for businesses to safeguard the personal information they gather, but also essential to build and sustain customer trust. This comprehensive guide will delve into methods, resources, and recommended approaches for protecting customer personal data, guaranteeing that your business stays compliant and reliable.
This guide is focused specifically on the protection of customers’ personal data. Guidance on general cyber security for businesses can be found in the Small Business Cyber Security Guide and the Strategies to Mitigate Cyber Security Incidents published by ASD’s ACSC. Please note, this guide is not exhaustive and should be used in conjunction with guidance from the Office of the Australian Information Commissioner (OAIC).
Data breaches targeting Australian businesses and their customers are growing in complexity, magnitude, and consequences. In an era where online transactions are on the rise, it is crucial for businesses to safeguard the personal data they gather from customers against unauthorized access, disclosure, corruption, and loss. Therefore, it is imperative for businesses to implement necessary measures to protect any personal information or data in their possession.
For Australian organizations to successfully apply the advice below, they need to thoroughly comprehend their data and cybersecurity procedures. To facilitate this process, the ACSC of the ASD suggests that companies utilize the complimentary Exercise in a Box tool to self-evaluate their data and cybersecurity practices and pinpoint any specific strengths or weaknesses.
Introduction: Securing Customer Personal Data
Securing Customer Personal Data: Tailored for small to medium businesses. In this guide, personal data encompasses a wide array of information that can be used to identify a specific individual. Such information may encompass:
|
|
Often, personal data is greater than the sum of its parts, as when seemingly innocuous data is aggregated or combined it can be used to form a more complete picture about an individual. The OAIC has further information available on personal information.
1. Legal and Regulatory Obligations in Australia
Businesses in Australia are subject to various legal and regulatory obligations when it comes to securing customer personal data. These include guidance and requirements from the Office of the Australian Information Commissioner (OAIC) and other relevant bodies. Key regulations include:
Privacy Act 1988: This Act regulates the handling of personal information about individuals, including the collection, use, storage, and disclosure of personal information.
Australian Privacy Principles (APPs): These principles set out standards, rights, and obligations in relation to handling, holding, accessing, and correcting personal information.
Understanding and complying with these regulations is crucial for businesses to avoid legal penalties and maintain good standing.
2. Key data security practices
For businesses to be confident they are employing appropriate data security practices ASD’S ACSC has a number of key recommendations that businesses should consider implementing. These key recommendations are:
|
|
3. Create a register of personal data
It is crucial for businesses to have a thorough understanding of the personal data they collect and store from customers in order to effectively protect it. Therefore, it is recommended that businesses maintain a comprehensive record outlining the various categories of customer data they hold and the specific locations where it is stored. One approach could involve developing a customized database and data asset register to suit their specific needs. It is imperative to regularly update and verify these records to account for any new sources and storage locations of customer data. These registers should follow a standardized format to ensure the inclusion of all necessary information. Further assistance on establishing and managing an information asset register can be obtained from the National Archives of Australia.
4. Limit personal data collected
Businesses should ensure that they collect only the necessary personal data from customers to facilitate efficient operations. It is imperative to clearly and accurately define the reasons for collecting such data and the intended purposes for its use. Extraneous personal information should not be gathered from customers under the guise of potential future utility, unless there is a well-defined understanding of its prospective use. The accumulation of extensive personal data from customers heightens the risk in the event of a data breach.
5. Delete unused personal data
It is essential for businesses to establish and enforce policies that govern the duration for which customers' personal data is retained before its deletion. These policies must clearly define the timeframes or criteria for data retention, as well as the procedures to be followed once the required retention period has elapsed.
The maximum duration for which businesses retain customers' personal data before deletion should be determined by the specific use case or risk profile of each business, along with the nature of the personal data collected from customers. Businesses should strive to implement a rigorous program with shortened retention periods wherever feasible, ensuring that customers' personal data is promptly deleted once it is no longer necessary. This approach aims to reduce the instances of unnecessary retention of customers' personal data, thereby mitigating potential risks to customers.
The maximum duration for which businesses retain customers' personal data before deletion should be determined by the specific use case or risk profile of each business, along with the nature of the personal data collected from customers.
When it comes to the deletion of customers' personal data, it is imperative for businesses to implement a robust data sanitization or removal program. This not only helps mitigate the impact in the event of a data breach involving customers' personal information but also reduces risks for both the business and its customers. Businesses should carefully assess the necessity of retaining customers' personal data that does not serve any operational purpose, as such unnecessary retention poses a significant risk. Moreover, businesses should evaluate instances of unnecessary duplication of customers' personal data and promptly eliminate any redundant copies unless a clear business justification exists for their retention.
6. Consolidate personal data repositories
Consolidating customers’ personal data into centralised locations or databases allows businesses to focus on key data repositories and apply enhanced security practices. In doing so, storing customers’ personal data in fewer locations can also reduce the complexity of managing it and frees up resources to apply stronger data security measures. Businesses that are utilising both local and cloud-based databases will need to ensure that appropriate security measures are in place for both.
Control access to personal data
Implementing robust and effective access controls is crucial to ensure that employees only have access to customers' personal data necessary for their job duties, and that they are limited to performing only essential actions on such data. By enforcing strong access controls, an extra layer of security is established, even in scenarios where unauthorized access to business systems has been obtained through compromised credentials or by an insider threat.
As an initial step in deploying access controls, organizations should evaluate the specific actions and corresponding privileges required by employees to fulfill their roles, and then restrict them from executing any unauthorized actions. Employees with privileged system access, such as administrators, should have appropriate limitations imposed on their privileges to mitigate potential damage in case of a compromised account, as the impact of a compromised privileged user can be detrimental to business operations. Moreover, careful consideration should be given to identifying users with access privileges to manipulate backups, as any interference with these backups can severely hinder an organization's data recovery capabilities in the event of an incident. Businesses should also prioritize providing additional security training for privileged users.
7. Encrypt personal data
Full disk encryption should be applied to businesses’ devices, such as servers, mobile phones and laptops, that access or store customers’ personal data to provide protection against customers’ personal data being accessed by unauthorised parties, such as when devices are sold, lost or stolen. Additionally, businesses may choose to implement file-based encryption to add an extra layer of protection in the event that systems are compromised as part of a cyber attack.
Finally, customers’ personal data should be protected by encryption when communicated between different devices, such as between businesses and customers over the internet. While the encryption of customers’ personal data can reduce the immediate consequence of access by a cybercriminal, businesses should be aware that encryption is not guaranteed to prevent data breaches as not all encryption offers the same security and cybercriminals can still identify ways to exploit encrypted data.
Great article, very helpful.