Lessons to learn from Tesco's privacy issues
Richard Foster, UK director for data privacy firm TRUSTe, offers some useful words of advice about the importance of protecting customers' personal data.
An online security expert recently revealed that Tesco had failed to properly protect customers’ personal data. The expert noted that Tesco responded to password-retrieval inquiries by displaying customer passwords as plain text in the body of the recovery email, demonstrating that the stored data had no cryptographic protections in place. This same expert also found that the HTTPS encryption was applied inconsistently across the Tesco website, potentially compromising personal data.
In response Tesco promptly announced that it would change its security practices and can be lauded for taking swift action. However, privacy fallouts like this can have a significant impact on customer trust and can drain a company’s PR and legal resources for weeks or even months at a time. A fine from the ICO may run as high as £500,000 and in other jurisdictions can be substantially more significant. Making an upfront, proactive investment in strong privacy and security practices on a website can help a company protect its brand for these kinds of situations.
Customer trust is paramount to a healthy data relationship, and the privacy and security of personal data is among the most important aspects of this relationship. A recent TRUSTe survey of British adults found that 54% are more concerned today about their privacy online than they were a year ago. So what can we learn from Tesco’s privacy issues? Below we’ve outlined three key steps companies can take to avoid finding themselves in a similar situation:
Always encrypt sensitive data
Storing sensitive customer data as plain text invites a security breach down the road, so make sure that it is consistently encrypted whether in transit or in storage. TRUSTe requires all of its privacy-certified customers to encrypt data where the inappropriate use or breach of the data could cause financial, physical, or reputational harm to an individual. It’s 2012 and you should enable HTTPS uniformly across your site when sensitive data is collected, transmitted or stored. Just as a chain is only as strong as its weakest link, encrypted data is only secure insofar as it is always secured. A single vulnerable page can bring down your entire defence, so be disciplined and diligent in your application of online security measures. Indiscriminately mixing and matching HTTPS and HTTP on your site, for example, can spell disaster.
Require strong passwords
You should provide your customers with the opportunity to create strong passwords and encourage them to do so. Avoid artificially limiting the length or complexity of potential passwords combinations. Strong passwords are long, and make use of alphanumeric characters, upper and lower cases, and additional characters like asterisks and exclamation marks. Microsoft supplies helpful tips to create strong passwords as well as an online tool to check the strength of an individual password.
Consider third-party certifications
Sometimes, when implementing privacy and security measures on your site you can become so focused on the details that you lose sight of the bigger data protection picture and can overlook crucial vulnerabilities. Working with a vetted outside supplier with privacy and security expertise can help you address these blind spots, and it often make the process more cost-effective and efficient than developing equivalent programs in-house. Some third-party certifications include dispute resolution services and ongoing monitoring, allowing you to quickly identify new vulnerabilities and address them before they spiral out of control. A visible certification trustmark from a respected third party can also help you build trust with your customers and business partners by enhancing your brand through association.