The main victims of any data breach are actually the people, the customers, whom their personal information has been stolen and oddly they don’t get the deserved attention. Questions like what was the impact of the theft on me as a customer, what can I do about it and whether I deserve some compensation are rarely dealt with publicly.
Customers face several key problems when their data was stolen, questions such as:
- Was their data stolen at all? Even if there was a breach it is not clear whether my specific data has been stolen. Also, the multitude of places where my personal information resides makes it impossible to track whether and where my data has been stolen from.
- What pieces of information about me were stolen and by whom? I deserve to know who has done that more than anyone else. Mainly due to the next bullet.
- What are the risks I am facing now after the breach? In the case of a stolen password that is used in other services I can go manually and change it but when my social security number was stolen, what does it mean for me?
- Whom can I contact in the breached company to answer such questions?
- And most important was my data protected properly?
And what if each company adopted a customer data protection policy (CDPP), an open one, where such a document would specify clearly on the company website what kind of data it collects and stores and what security measures it applies to protect it. From a security point of view such information can not really cause harm since attackers have better ways to learn about the internals of the network and from a customer relationship point of view, it is a must.
Such a CDPP statement can include:
- The customer data elements collected and stored
- How it is protected against malicious employees
- How it is protected from third parties which may access to the data
- How it is protected when it is stored and when it is moving inside the wires
- How is the company expected to communicate with the customers when a breach happens – who is the contact person?
- To what extent the company is liable for stolen data
Such document can increase dramatically the confidence level for us, the customers, prior to selecting to work with a specific company and can serve as a basis for innovation in tools which can aggregate and manage such information.