Companies involved in database marketing or cross-sell activities often face challenges to keep their sensitive customer data secure. Leakage of customer data is not only a regulatory problem but also danger for brand reputation. It may also cause negative effects especially if data reach to competitors.
Sensitive customer data majorly categorized into 2 sections:
1. Profile data. Profile starts with personal information including name, birth date, gender, national security number, mother’s maiden name, etc. Contact information such as address, telephone and e-mail are also part of the profile. In the context of the profile, some companies may store demographic data like education, work experience, income level, etc. Depending on company’s work field, there might be product or services associated with each customer in their profile.
2. Transaction data. It is simply the history/log of actions customers did. What products did the customer buy earlier? Where did he use his credit card? When did he call customer service? Transaction data is useful for analytic models, real-time proactive actions, and better targeting at cross-sell activities.
I assume you already take every classic security measures like controlled and logged user profiles (to know which employee is accessing which data), firewalls, security software, disabling USB ports, limiting internet access…
In fact, it really does not matter how secure the system is. If the user has access to the data then there is a way to get a copy of it. You may have disabled USB drives and internet access. The user can still take a photo of the screen with his/her smartphone camera.
Then, what is the solution? There is no perfect way to secure a system, sorry for that 🙁 But there is a simple way to help you find out bulk export attempts and sources of leakages:
Keep sensitive customer data with Dummy Customer data
Inserting dummy customer data inside your actual customer data will help you a lot to find and hopefully prevent data leakage cases. How does it work?
1. Static dummy data
In this approach insert your dummy customers to your base. Your dummy customer data should look like a real customer including contact information and profile. It should not be something like “Test Customer” or “Dummy User” or “Mr. Dummy Brown”. Depending on your customer data size, you may create as many dummy customers as needed.
Normally since these customers do not exist in really, no employee should inquiry these customers’ info on the systems. If you identify such an inquiry, an alert should be raised. It may be a potential customer data export attempt.
This approach is useful to monitor in-house employees‘ activities who can directly access customer data through an interface.
2. Dynamic dummy data
In dynamic data approach, you don’t need dummy customers in your real customer base. Instead, whenever you are sending a lead list to an external party to process (e.g. for cross-sell telesales activity) you insert dummy customers to that lead list. Again, the dummy customers should look like a real customer but this time their contact information (telephone etc..) should actually reach to a party who can then report incidents to you. This rule is the main limitation in creating many different dynamic dummy customers.
As a workaround, you may have a couple of such trap contact information and you can change the customer names in each list you send. Since these dummy customers are not in your customer base you need to keep track of them separately not to forget where they have been used and sent to.
The dynamic approach will create an alert to you at the trap contact information included in dummy customer. If that telephone number is called and Mr. Calvin Marines were asked (where he is a dummy customer name), the person who answers that call should report the attempt to the security officers. Of course, the respondent should be informed about the process in advance. Same way applies to addresses and e-mail contacts.
When you check that which list that dummy customer was included you will identify the source of the leakage and can deeper dive to find out the exact point.
These techniques are simple and cheap to implement and at the same time complementary to existing security solutions. Earlier, I have implemented and actually found out security breach cases successfully by using dummy customer data.
It is up to you let your employees know these techniques are in place. If it is known, I believe it also prevents most of the attempts, but there is a risk that dummy customers are located.
Hope to see your data secure!