Data breaches continue to be among the biggest risks that businesses face today. This is due to both the prevalence of bad actors that seek to access and use consumer data for criminal purposes, as well as laws, such as the CCPA, that allow consumers to bring private actions against businesses for a data breach. One of the simplest steps a business can take to prevent a data breach is to limit access to sensitive data.
While in the past a wide range of employees may have had access to customer information, that access should be limited now. The vast majority of data breaches are the result of individual employees inadvertently providing access to this data, either by allowing their computers that have access to or store consumer data to be breached or by providing their access information to hackers in phishing emails or through other scams.
Employee training on data security is a key component of any data security system, but it is not sufficient. One of the best steps to limit liability is therefore to limit employee access to sensitive data to only those employees who need access to perform their daily job functions. Employees who need intermittent access can always be given access on a temporary basis, but open access greatly increases the potential risk.
Not all consumer data is equal in terms of liability. The key is to focus on files and databases that hold any of the following:
- Social security number.
- Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
- Medical information.
- Health insurance information.
- Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
This information can be held in employee files or in consumer files.
If you allow open access to sensitive data, take the time to evaluate who needs access for their job and who does not. This step can greatly increase security by reducing the number of people in the company who could be targets of hackers.