By JOHN MAYLEBEN
Recently, Facebook announced that they had discovered a possible data breach and that 50 million Facebook users were being forced to re-enter their passwords to prove they were the “real” user. This possible breach may generate a massive $1.6 billion (that is with a “B”) fine from the EU, if it is proven that they violated European privacy rules.
This made me think about how businesses use data that has nothing to do with payment card transactions (commonly called PCI data), yet exposes them to data breaches that could put them in the crosshairs of local, state, federal or international regulators.
Because we have a sometimes (OK, almost always) dysfunctional federal legislative process and because regulators tend to hate a vacuum where issues aren’t addressed, we have ended up with a hodgepodge of data breach lawsuits from various states.
Also, because consumers use computers to make purchases across state lines, you must contend with cross-jurisdictional issues. Hopefully the federal government can craft a nationwide solution that will preempt the various state’s patchwork quilt of rules.
As a business owner, you should spend time looking at all of the places in your business that customer data is collected and figure out how/when you need to protect it. In light of the cross-jurisdictional nature of customer data, you also need to review which rules apply. At first pass, ask the question of “why?”
• Why do we need to collect this data?
• Why, if we collect it to handle a specific transaction, do we need to keep it?
• If we need it, why does it need to be stored the way it has been in the past?
Some data points are obvious: credit card data, check; checking account data, check. But what about the birthday club you run? If you collect the birthdays of your customers as a way of sharing a coupon on their birthday, how do you protect that data? Have you looked at the redemption rate of those coupons? Is it something you should discontinue or modify?
What about shipping data? Do you, as a matter of regular business, ship merchandise to your customers? Is it a one-time transaction or recurring? How do you store their addresses? How many different places do you store their shipping addresses?
Other customer data? Does this data cross the line for some other data protection law? FERPA (Family Educational Rights and Privacy Act)? HIPAA (Health Insurance Portability and Accountability Act)? GDPR (General Data Protection Regulation), the EU’s attempt at a regional data protection law? The FTC Act (regulating deceptive business activities)? The financial services modernization act, commonly called Gramm-Leach-Bliley Act (GLB)? FCRA (Fair Credit Reporting Act)? What about the new European (and because we are so interconnected, the bleed over to the US) “cookie” regulations for websites?
Make sure that you understand which regulations apply and how to comply with them. While no one wants to have a data breach, you really don’t need the added insult of accidentally being in violation of some regulation you didn’t know about.
John Mayleben, one of the nation’s first Certified Payments Professionals designated by the Electronic Transaction Association, is an MRA consultant and national expert on payment processing.