Do you store information about your customers, clients, suppliers, vendors, and your employees on a computer system? If so, you need to be aware of the many different movements that are happening, at least in the United States, about keeping that data secure. Many states are enacting or have enacted legislation requiring businesses to not only safeguard that information, but also force those businesses to notify customers if such information becomes compromised.

For example, Senate Bill 1386, in the state of California amends existing Civil Code to provide Californians immediate notification when confidential information about them has been compromised due to a breach on any computer system that stores such information. Many other states are also enacting similar legislation.

If you think these types of bills don’t affect you; think again. Any business, government or non-profit agency, or individual that stores confidential information about a person on their computers is impacted. You should check with your state about any such bills they have enacted to see if you are affected. There is a good chance you are.

What Is Confidential?

What's considered to be confidential personal information? Here are some examples: Social security numbers, driver's license numbers or identification card numbers, account numbers, credit or debit card numbers, etc. Check with your state for a complete list of what data is considered confidential. There are many laws in effect here in the United States such as Sarbanes-Oxley, HIPPA and many others that require data stored in computer systems to be secured. For example, some of these laws require first names, last names, and other seemingly harmless information to be stored securely.

To Comply or Not Comply…

It is your choice as to whether you choose to comply. If no one finds out, nothing happens. However, this is a civil law. So if the public embarrassment and public relations nightmare aren't reason enough to comply, there are also the lawsuits that will come from the individual(s) whose information was accessed. So you will have the risk of a class action lawsuit and unwanted media coverage.

Steps You Should Take as an Application Developer

You should start performing an inventory of your database systems and identify where any personal information is located. Make a list of the applications that access this personal information. Go through this list one-by-one and start implementing a more secure method of storing personal data.

If you have been developing using good N-Tier techniques over the years, you will find making these changes fairly painless as you can just modify your data access layer to encrypt and decrypt the appropriate fields in this one tier and all applications can now take advantage of this change. If you have not, then you are most likely in for a lot of work.

As you develop new applications you should ensure that you and your entire team are thinking of security up-front. It is much easier to implement security as you start an application then to try to add it in later on. Think about all areas in an application that could be affected such as data that is stored in a database and data that is transferred across a network. If you are building an ASP.NET application, make sure that you have SSL in place when having a user enter sensitive information. The same goes if you are developing a Silverlight application and transferring the data back to the server via RIA Services or a WCF service.

Unsecure Data Stored

Do you use a Microsoft Access database to store data for your application? If so, you are at a very serious risk. Microsoft Access does very little to secure data. Even if you have secured the database using the built-in tools in Microsoft Access, there are many tools that you can get on the Internet that will crack the Microsoft Access security easily. Now may be the time to think about moving this data to a more robust database such as SQL Server or Oracle. At the very least you should consider implementing encryption in Access to better secure this data.

Do you use XML files, or maybe some other flat file data store? Do you create reports and store them as PDF on a server? Once again, these types of files are very un-secure and you will need to take extra precautions to ensure that the data in these files cannot be compromised. You can use ACL’s in the operating system to help you secure these files. Or, just print the PDF on demand, then delete the file immediately. Be sure you attach a privacy policy to the PDF file so the person that receives the report understands that they are responsible for safe-guarding the information in the report.

SQL Server 2008 is a much better choice for a database system. This version of SQL Server has built-in encryption/decryption so you do not need to modify your application code. You simply turn on the encryption and decryption at the individual column level and it takes care of doing all the hard work for you. This is a huge reason for upgrading any unsecure data stores to SQL Server 2008.

Steps Your Company Should Take

You should begin planning how to bring your database systems into line. Here are some examples of steps you might take.

  1. Ensure your executive management team is aware of any laws that affect your business.
  2. Ensure the appropriate and responsible employees in your company understand privacy and are compliant with your privacy policies.
  3. Ensure your company has documented and disseminated to all employees information about privacy and how your organization is compliant and what steps must be taken in the event of a breach. Any unauthorized access of a computer and its data, constitutes a breach of a computer system.
  4. Businesses have a responsibility to exercise a certain level of care in protecting its information - especially information deemed confidential. If you do not monitor your systems and a breach occurs, you can be accused of negligence and could be subject to fines.

In order to be prepared for such an event, you must have a policy and a plan for ensuring compliance within your company. Develop policies and procedures that tell you what to do before, during and after a breach of data security.

Summary

You should take privacy policies and how you store data about your customers very seriously. Serious consequences could result by failure to secure your computer systems. Be sure your company is not at risk in this area. Perform an internal audit of all your systems as soon as you can to determine your exposure. Develop a set of policies and procedures and train all employees on what these policies are and what they need to do in their jobs to ensure compliance.