Losing your customers data is a bit like crashing your friend’s car, your friend will be angry, you’ll face fines due to having no insurance and none of your friends will ever let you drive their car. The same repercussions will happen if you lose your customers data, but on a much larger scale.
If you lose customer data, you can’t assume that they’ll “be fine about it” or “get over it” because they won’t. Imagine if an e-commerce site you often use had your payment data stolen, would you get over it?
If you lose customer data, you’ll be fined; it’s as simple as that. The recent loss of customer data at Target is predicted to cost around $680 million in fines alone, enough to force them to make some large changes.
In the UK fines are handed out by the Information Commissioner’s Office (ICO). Any organisation that breaches the UK Data Protection Act 1998 (DPA) can be fined up to as much as £500,000, enough to put many organisations into serious financial trouble.
Brand turned to mud
Not only will the loss of customer data result in the loss of current customers, it will also result in the loss of potential customers. If the story of you losing customer data were to hit the news, there isn’t a PR campaign capable of saving your reputation. But don’t be fooled into thinking your story has to his the news to lose potential customers; any of your previous customers that used to recommend you to their friends will now do the complete opposite and your brand name will only be spoken in hush-tone at industry events.
So how can you avoid losing data?
Data Protection Act (DPA)
First of all, any organisation in the UK that hold or process personal data must comply with the requirements of the DPA. I don’t need to convince you to think about the DPA, it should already be something you are already complied to.
If you aren’t DPA compliant, then I advise you learn more about DPA by reading the Data Protection Compliance in the UK Pocket Guide
PCI DSS is a contractual requirement (by your acquiring bank) if you store, transmit or process card holder data.
Short for Payment Card Industry Data Security Standard, PCI DSS will help your organisation better protect your customer’s information. The level of PCI DSS which you must comply to is dependent on how many transactions you process as well as a few technical things. If you are using a third-party service provider it is your duty to ensure they comply with PCI DSS. If a data breach occurs you are liable for loss of data too.
You can learn more about PCI DSS in the PCI DSS Third Edition Pocket Guide
ISO 27001 implementation (and certification) has increasingly become a contractual requirement for many. In many cases those who can demonstrate compliance with this standard, have a competitive advantage.
ISO 27001 is the internationally recognised standard describing best practice for an Information Security Management System, often shorted to ‘ISMS’. By implementing ISO27001 into your organisation, you will significantly reduce the chance of your customer data being stolen. Not only does ISO27001 provide that security, it also provides a long list of other benefits such as:
- Win new business opportunities
- Avoid large financial penalties
- Enhanced customer satisfaction that improves client retention
To learn more about ISO27001 and how it can benefit your organisation, I invite you to attend IT Governance’s event in Bedfordshire on 30th January, Leveraging ISO 27001 2013 to address Information Security and Cyber Security issues