Co-operative Life Planning (CLP) found to their horror the personal details of 82,000 of their customers had been made available online. The source of the breech? Computer contractors hired to repair a file containing customer information. The contractors copied the customer data to their own servers to make the necessary repairs but failed to remove the sensitive data when they completed the job. They subsequently suffered a data breech and file was compromised. CLP was not aware the contractors violated their policies by moving the data off site.
What can a small business learn for this incident?
1) Have a Non-Disclosure Agreement with all IT contractors which stipulates the contractors understand your security policies. You do have security policies, right?
2) Require all contractors disclose any data being moved to a different location. Even if it’s a different location within your own organization.
3) Assume ALL data being moved is sensitive and take the necessary precautions. In many cases data thought to be benign actually contains sensitive information as well. Categorizing ALL data as sensitive removes this possibility.
4) If data must be moved, establish how long the data will be maintained at the alternate site and the process for ensuring the data is removed. Be sure to find out how data at the contractors location is backed-up and if your files will end up on their back-ups.
5) Grant a contractor permission to move data only if there is no other alternative. Because it’s more convenient for the contractor does not constitute “no other alternative.” Remember, once the data leaves your environment, you no longer have control yet it’s still YOUR responsibility.
Does all this seem like a lot of trouble when working with your IT contractors? Not nearly as much trouble as having to explain to your customers how their private information suddenly became public. Or, more likely, your former customers.