PLAN AHEAD

Incorporate privacy and security from start to finish.
Thinking about the data you will collect and store while you design your product or service is only one part of “baking in” privacy. You also need processes in place to address issues that might arise in the future. Save time, money, and even your reputation by maintaining privacy and security practices that are holistic, regularly re-evaluated, and prepared for potential data security issues and legal demands.
LIMIT AND MONITOR INTERNAL ACCESS TO DATA.

While most businesses imagine shadowy hackers as their biggest security risk, in reality insiders with the ability to access records inappropriately can also pose a significant threat. To minimize this threat, adopt clear rules and technical approaches to prevent inappropriate access, thoroughly train individuals who handle user information in your privacy and security practices, and log and audit data access.

71% of employees in a variety of fields, including sales and business operations, said they have access to data they should not be able to see (2014).

Case Study

Uber’s "God View" Causes Users to Lose Faith

Uber was hammered with negative press, a #DeleteUber movement, and Congressional inquiries after

Uber was hammered with negative press, a #DeleteUber movement, and Congressional inquiries after stories emerged that some Uber employees had "God View,” allowing them to access ride history and other information about any Uber user. Public outrage over the company’s “troubling disregard for customers’ privacy” forced Uber to conduct an evaluation of its data privacy program, and in January 2015 it promised to improve its privacy practices based on the firm’s recommendations.

Case Study

Facebook Criticized for Poor Internal Security

Users were outraged and the company’s reputation was tarnished in 2007 when it came to light that the company had very poor internal security measures.

Users were outraged and the company’s reputation was tarnished in 2007 when it came to light that the company had very poor internal security measures. Users demanded change when it was widely reported that the company was not properly safeguarding the private profiles of its users from employee misuse and that employees could view users’ private profiles and track which users were viewing particular profiles.

KEEP YOUR SYSTEMS AND DATA SECURE FROM OUTSIDE THREATS.

Security breaches can undermine your users’ trust and cause them to take their data elsewhere. Many breaches can be prevented by taking steps to protect the systems and data under your direct control. Work with your engineering team and outside experts to implement security best practices such as network activity monitoring, endpoint security for devices that connect with your network, and routine system audits and software updates.

Case Study

Citibank Hacked Using “Remarkably Simple Technique”

Citibank suffered a major security breach in 2011 and then faced a second wave of criticism for both its lack of preparation and its response to the incident. The company waited three weeks before notifying the 210,000 customers whose data were compromised.

Citibank suffered a major security breach in 2011 and then faced a second wave of criticism for both its lack of preparation and its response to the incident. The company waited three weeks before notifying the 210,000 customers whose data were compromised. Several days later, Citibank announced that, in fact, more than 360,000 accounts had been hacked. When it was revealed that the hackers used a “remarkably simple technique” to exploit a widely recognized vulnerability, critics compared Citibank to a “mansion with a high-tech security system” while “the front door wasn’t locked tight.”

PROTECT YOUR ENTIRE DATA ECOSYSTEM.

In addition to securing the data you hold, you need to make sure that your users’ data is secure even when it is not on your servers. If third parties are going to have access to your users’ data, make sure their privacy and security practices are consistent with your own. Consider how you can formally require third parties to meet your standards and verify compliance with those requirements.

Share This: