In light of many high-profile incidents involving the loss or theft of customer data, including passwords and credit card numbers, it is understandable that customers should be concerned about the ways in which businesses use and protect their data. Customer data requires stringent security measures; if a company is not taking these measures, we must wonder how high a value it places on protecting the information that belongs to its customers.
A cursory glance at some of the more recent security breaches suggests that some major companies have failed to prioritize the security of their customers' information. Additionally, failure to immediately notify customers after an incident in which their data may have been compromised reflects badly on the company and can seriously affect a business's reputation — once lost, customer confidence is almost impossible to regain. Effects on the customer can range from inconvenience (e.g., a sudden deluge of spam, or the need to change all of their passwords) to significant financial loss, or even the nightmare of identity theft.
From the customer's perspective, the situation presents an difficult dilemma. Some people happily information on social media web sites and provide their credit card information and other personally identifiable information without much regard for the possible consequences (until something goes wrong), and others are almost paranoid about whom they allow to access personal information. Unfortunately, if we refuse to allow any businesses to access our data, then everyday life becomes extremely difficult. We could not book flights or shop online and social interactions would be much more limited. If we want to take advantage of the conveniences offered by modern technology, we must be prepared to accept some risk.
That said, it is incumbent on any business, large or small, to have comprehensive privacy policies and security measures in place to minimize the risk to customers. Failure to do this could potentially result in lawsuits and loss of trust, so it should be something companies are prepared to spend time and money on. The following measures should be taken by every business that collects sensitive data from customers:
- Sensitive customer data should be encrypted (e.g., passwords, credit card numbers, social insurance numbers)
- Access to personally identifiable information should be limited to only the employees who require it in order to perform their job function
- Password policies should be rigorously followed and enforced on all login credentials
- Security questions should be part of the process when a user forgets his or her password, or when logging in from a new location
- Use of private memory sticks and notebook computers should be carefully controlled; company-issued devices should be secured with strong encryption before they are permitted off site
- Business partners and contractors should be required to follow and enforce the company's security policies and best practices
- Physical security measures should be in place to prevent theft or fire damage
- High-quality electronic security measures should be in place to avoid viruses and deter hackers
No one should offer their sensitive personal data unless they have complete confidence in the security of systems used to store and manage that information.
InSite follows and enforces very strict physical and electronic security policies in order to protect its customer data. Our customers are our most important asset, and we treat customer data with the same level of care and due diligence that we treat our own. Privacy and confidentiality are essential to business best practices — particularly in the area of online surveys, where meaningful respondent feedback and constructive survey results are so important.