John calls the retailer and asks to review any data they hold on him. Take a look at the data they hold and decide which items could be used to identify John.
Which four pieces of information could be used to identify John?
- The date his account was established with the company
- Frequency of purchases
- Sign up for newsletter Yes/No
- Months/years active with the company
- Value of purchases over time
A newsletter preference is too generic to offer any reasonable chance of identifying an individual. While the frequency of your purchases or the number of years you’ve been active with the company may seem too non-specific to help identify you, remember this: Multiple pieces of personal data can be used to narrow a search to an individual.
It’s important that you know what data qualifies as personally identifiable information in the US and personal data in the EU, and understand how various pieces of personal information can be combined to identify an individual.
Now we’ll look at a real-life example.
Viktor is working from a cafe. He is collating employee information into a spreadsheet for his company. Viktor wants to update the project on the network, but the cafe’s Wi-Fi is unprotected. Let’s see how he handles this.
Viktor decides to use the company Virtual Private Network. He can use the cafe’s unprotected Wi-Fi to create this private connection. Viktor has ensured that the personal data/PII remains protected and secure within his company’s network.
Viktor is getting ready to leave the cafe, but wants to do some work on his smartphone while commuting on the bus. Viktor knows he has to be responsible when sending and saving files.
Viktor encrypts the file he wants to work on with a password that only he knows and saves the file onto his phone. Viktor ensures that the data is protected and is aware that he should only ever work with files on authorized work devices and in accordance with his company’s IT security policy.
Viktor knows he is liable for any data he works with. Any breach of data can have financial impacts or legal risks, and could harm the company brand and reputation. His company could also be subject to significant fines if implicated in a data breach. No matter where you work from, personal data/PII must always be protected.
Protecting Customer Information
Imran’s company is merging with another organization. Both organizations operate in the US and the EU, and they’ll need to share personal data and personally identifiable information (PII).
He’s worried about ensuring this data is protected after the merger. He’s compiling a list of questions to ask the other organization.
What five questions should he ask?
- Is data stored securely and accessed only by authorized users?
- Are policies in place to protect data providers’ anonymity?
- Are users trained in data protection policies?
- Are security audits completed on a regular basis?
- Are electronic records securely purged?
- Are bonuses paid to staff to protect PII?
Ensuring Security of Personal Information
Imran needs to create a spreadsheet for the marketing department with details of customer purchasing trends.
What must he do to ensure the security of any personal information?
- Print out the spreadsheet and hand-deliver it to his contact in the marketing department.
- Make anonymous any personal information before emailing it to the marketing department.
- Send the spreadsheet as an attachment in an email to the marketing department.
Identifying Data Breaches
An audit of the other organization’s network highlights major security vulnerabilities. Research identifies a possible data breach.
What are the three possible consequences?
- Any customers whose information was compromised could take legal action against Imran’s company.
- Imran’s company could be liable for huge fines and possible criminal charges.
- Imran will lose his job, but the company will face no other consequences.
- Imran’s company could suffer bad publicity
Protecting Confidential Information and Sensitive Data
Accidents happen… laptops are stolen, mobile devices are lost, emails are sent to the wrong recipients – but if you follow the correct procedures, then accidents don’t have to become security incidents.
Here’s what you need to do to protect our confidential information and sensitive data:
- Identify the classification of the data you handle.
Use the handling protocols for that class of data to:
- Share data appropriately
- Store data securely
- Properly dispose of data
Please also note that in some circumstances disclosure of confidential information is required by law.
Arthur is working on a new project and needs to share company information with a marketing consultant. He knows he needs to classify the information before sharing it, but he’s not sure what classification he needs to assign to the information. The information he needs to share relates to an upcoming marketing plan.
How should Arthur classify the information?
- Public – Information that can be freely shared with any individual or group.
- Internal – Potentially sensitive information that should not be shared outside our organization.
- Confidential – Information that may adversely affect employees, individuals, or our business if disclosed to unauthorized parties.
- Restricted – Information that we have a regulatory or legal obligation to maintain and protect.
Sayo’s partners have asked for some project related data that is contained in a confidential report. They need the data immediately and have asked Sayo to e-mail it to them. Sayo has already taken steps to ensure that no personal data is involved, so the data protection rules are not applicable.
Does Sayo need to do anything else before emailing the report?
- Yes. She must encrypt the report using the approved encryption tools before she sends it.
- No. She’s already labelled and marked the report as confidential, so she can go ahead and e-mail it to the supplier.
- Yes. She must send the report to the IT security team so that they can encrypt it and return it to her before she sends it.
Notification of Fraud
Lucas has just been notified that his firm is the common factor in a surge of credit card fraud.
What three areas will need to be investigated?
- Credit card data collection at point of sale (in-store, online, call center)
- Order fulfillment (in-house/outsourced)
- Payment processing and data storage (in-house/outsourced)
- Payment data transfer (wired/wireless network, online, call center)
The investigation reveals that the company’s e-commerce database was hacked using compromised credentials. There are five critical changes
Can you identify the five changes?
- Monitor and investigate out-of-hours activity and unauthorized access to systems.
- Force frequent password changes.
- Limit login attempts by users.
- Take the online store business offline.
- Clean and restore affected systems.
- Remove dormant accounts from the system.
One of the worst conclusions that came from the investigation was the vast volume of records the criminals were able to access.
Lucas asks your advice on what can be done to limit the scale of future breaches.
What two things should you tell him?
- Only collect credit card data once a sale has been committed.
- Fully outsource responsibility for customer credit card data to a payment service provider (PSP) who will then have full responsibility to fulfill the obligations under PCI.
- Always destroy credit card data as soon as the expiry date is reached and whenever customers delete their accounts.
Avoid a Privacy Breach
Alison needs to identify the data privacy risks associated with moving our customer databases to the cloud.
Her first task is creating a project team folder. She asks your advice on what she needs to consider to avoid a privacy breach.
What four things should she consider?
- The location of the server that contains the folder.
- The number of files that she can store in each new folder.
- If the folder’s physical location will change.
- If anyone within the Cloud Service Provider will have access to the storage.
- The backup options available.
Moving Data Internationally
Alison is based at the EU headquarters, but her team is working in New York. She gathers samples from several of the national databases to send back to the project team in the United States. Her company participates in the Privacy Shield Framework.
She asks you what she needs to do to ensure secure communication.
What two things should she do?
- Remove references to the original authors’ names and business units before sending.
- Remove the document’s local backup after uploading to the cloud.
- Only upload PII if it is permitted by company policy and it is strictly necessary for the project being undertaken.
- Use Virtual Private Network (VPN) or equivalent to connect to the cloud.
Secure the Data
Mark is preparing a security plan for storing the personal information of clients and personnel in digital and hard copy format. He wants to know what the essential elements of an effective data security plan are.
Which five elements are essential?
- Physical security
- Electronic security
- Employee training on data privacy
- Security practices of contractors and service providers
- The categories into which the data is placed
- Reporting features of the data application
Ernesto needs to set up a form on the company website that will allow visitors to enter their personal information. He asks you what he needs to
include on the website before he can collect personal information from visitors.
Which three things must be included?
- A statement detailing exactly how data will be used
- A privacy statement outlining how data is stored and managed by the company
- An option to allow visitors to choose whether to opt-in to have their data shared
- Fields in the form to collect religion and sexual orientation
This content is an extract from the data privacy training course