It seems as if there are news articles every day about the theft or loss of personal customer data. In fact, our local newspaper itself made the headlines for loss of data when it recycled computer reports to wrap newspaper bundles. The computer reports provided the names and credit card numbers of thousands of the paper’s customers.
Because of breaches like that, securing personal data is becoming a hot topic in business today.
What is non-public personal information? Governmental entities involved in regulating or enforcing privacy protections have defined it in different ways although the definitions are similar. For example, consent orders issued by the Federal Trade Commission define “personal information” to mean “…individually identifiable information from or about an individual consumer….” The definition then lists a large set of examples such as name, address, social security number, drivers license number, bank account number, and so on. Most utilities would maintain several data elements noted in this definition.
Utilities gather a great deal of non-public personal information (NPI), and have a responsibility to their customers to ensure its security. Savvy utilities are being proactive in reviewing and updating their policies and procedures as they relate to NPI data. Our customers expect that we will maintain the privacy of their data. Failure by a utility to do so would have significant ramifications in customer trust and satisfaction.
Classify and Inventory NPI Data
How are companies approaching a review of NPI data? Many include steps to classify and inventory NPI data, along with reviewing policies, contracts and data security procedures.
This first step will be a foundation to later review and update contracts, policies and procedures. A simple approach is to sort data elements into high, medium and low risk categories. For example, social security numbers fall into high risk. Name and address may fall into medium risk, while a utility account number may be classified as low risk.
Inventory NPI Data
Completing a robust review of all NPI data collected, and documenting where and how this data is captured, stored, maintained and transmitted, is vital in an NPI review.
Let’s look at the example of a social security number. This data element may be captured initially in a CIS system, then exported to a credit system, transmitted to a third-party credit agency and perhaps eventually sold as part of a bad debt portfolio sale. At NSTAR, we approached our NPI data inventory by application and by external data pathways such as electronic data interchange. For each application we noted what personal data elements were captured, how they were stored, and how they were protected. We also noted what data was transmitted through each of our external data pathways, where the data was sent, and how it was protected in transit.
Review data security policy
What policies are in place for securing high, medium and low risk data? High risk and medium risk data, in one policy example, could be encrypted or segregated in a special secure database. Security policy may also indicate that high risk data is never printed, sent through normal e-mail, or downloaded to a laptop or desk-top computer.
Additionally, policies will identify NPI data owners, define backup procedures and address security of non-electronic data. The policy may also address requirements of third parties with respect to transmitting and maintaining security of NPI data and define actions if a security breach occurs.
Ensuring that contracts with third-party partners are in alignment with the NPI policy is a very important step. Contract language may have to be changed to reflect more rigorous security requirements. Standard language for all new contracts should be developed and approved by the legal department. Language may be included in the contract that requires validation that security measures are adequate and requires notification of any security or privacy incident.
Data security procedures
Data security procedures need to support the NPI policy. The implications of policy changes that require masking of high risk data, for example, may include IT programming to mask data fields in the various applications. New technical and business procedures and employee communication programs will be required to ensure the implementation of the policy.’
Procedures may also define a recovery plan if a security breach were to occur. This plan will designate decision owners and procedures, and define recovery processes and IT mitiga-tion steps.
Penni McLean-Conner is the vice president of customer care at NSTAR, Massachusetts’ largest investor-owned electric and gas utility. McLean-Conner, a registered professional engineer, serves on several industry boards of directors, including the CIS Conference, the Consortium for Energy Efficiency and the Massachusetts Technology Collaborative. Her first book, ?Customer Service: Utility Style,? has been published by PennWell Books.