DATA AND PAYMENT SECURITY PART 1

Transcription

1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of fraud against our members and therefore have engaged with experts in the field of fraud prevention to ensure your organisation is in the best place to minimise the threat of fraud. DATA AND PAYMENT SECURITY PART 1 Why Secure your Data and Payment Information? Payment and personal details are the basic tools used by criminals to commit fraud. If you have unsecured payment systems or personal data and this is used for fraud then you could be liable. The most obvious reason for securing data and payment details is that unsecured data on your staff, supplier, or customer data could be used by a competitor to steal your business. In addition personal data held on staff, customers and suppliers must be gathered, stored and used in accordance with the requirements of the Data Protection Act otherwise your organization could be subject to prosecution and fine by the Information Commissioner, or you could be sued for damages by the staff, customers, or suppliers that have been affected. All payment data must also be secured in accordance with the principles of PSI-DSS (Payment Security Industry Data Storage Systems). Failure to implement PCI-DSS fully could result in any fines or penalties imposed upon others in the supply chain being passed back to you and also result in your payment gateway being removed. Securing Personal Data It is sometimes said that a person cannot give out information, or do some act, because they are prevented by the Data Protection Act. Usually the person stating this is either ignorant of the law or hiding behind it so that they do not have to cooperate. In fact the Data Protection Act is an enabling piece of legislation which permits organisations to do most things that they want to do with data so long as they do so in accordance with the law and do so fairly, transparently, and carefully. In order to handle, process, or store, personal data fairly and lawfully every organisation must first make a register entry with the Information Commissioner s Office explaining how they intend to do so. The register entry can be amended at any time to add or remove areas as the requirements for data handling by the organisation change. The best way of maintaining the register entry and ensuring compliance is to have a dedicated person

2 responsible for Data Protection within the office. The Data Protection Act regulates personal data which means personal information falling into one of the following four categories. Information processed, or intended to be processed, wholly or partly by automatic means (that is, information in electronic form usually on computer); Information processed in a non-automated manner which forms part of, or is intended to form part of, a filing system (that is usually paper records in a filing system), Information that forms part of an accessible record (that is, certain health records, educational records and certain local authority housing or social services records, regardless of whether the information is processed automatically or is held in a relevant filing system); and Information held by a public authority (referred to as category e data as it falls within paragraph (e) of section 1(1) of the DPA). Employee Data During the course of an employee s time with the company they are likely to provide highly sensitive data to the company so that their employment may be administered. Express consent will be given by the employee for the information to be used for the purposes they were requested, such as setting up payroll, personnel records; making reasonable adjustments to cater for a disability, and so forth. Implied consent will also be given by the employee for the company to share this information with any 3rd party organisation that provides any of the services required to administer the employment and also so that the company can carry out any monitoring (for example to identify health issues), or research. Full details of an employer s obligations for employment records, monitoring at work, information about employees health, recruitment and selection can be found at: Purchasing Mailing Lists From time-to-time the company may purchase contact details of potential customers from 3rd party sources. These may be mailing lists for example. In these cases the company needs to be very careful to obtain written undertakings from the owner of the list that all of the people whose personal data is contained within it have expressly consented for their details to be passed to a 3rd party organisation. Ideally the source of the listing will be able to demonstrate on their systems that consent has been expressly obtained to allow the data to be passed.

3 It is recommended that all databases of names are segmented so that the following types of recipient are identifiable: 1. Existing opt-in recipients 2. Lapsed opt-in recipients (so that they can be sent a re-opt-in facility and are not sent marketing material unless they do opt-in) 3. Soft opt-in recipients (who are not able to receive promotions for services/products not originating from the supplier) 4. Opted out recipients (the opt-out must be respected fully to avoid breaking the directive) here it means the same as unsubscribe. Where the supplier cannot demonstrate that all people in the list have consented to their details being passed then the data should be treated with caution. At the very least it should not be used except where it is possible to identify that some individuals have consented; in which case those identified as having consented may have their contact details used but no one else on the list may. Storing Personal Data All personal data must be stored securely. A personal data breach means "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provisions of a public electronic communications service." It is a criminal offence to store personal data insecurely. Sharing Data Is the Data Sharing Justified? Key points to consider: 1. What is the sharing meant to achieve? 2. Have you assessed the potential benefits and risks to individuals and/or society of sharing or not sharing? 3. Is the sharing proportionate to the issue you are addressing? 4. Could the objective be achieved without sharing personal data? Remember that section 29 of the Data Protection Act allows you to share data for the following purposes: (a) the prevention or detection of crime, (b) the apprehension or prosecution of offenders, or (c) the assessment or collection of any tax or duty or of any imposition of a similar nature.

4 If You Decide to Share It is good practice to have a data sharing agreement in place. As well as considering the key points above, your data sharing agreement should cover the following issues: 1. What information needs to be shared. 2. The organisations that will be involved. 3. What you need to tell people about the data sharing and how you will communicate that information. 4. Measures to ensure adequate security is in place to protect the data. 5. What arrangements need to be in place to provide individuals with access to their personal data if they request it. 6. Agreed common retention periods for the data. 7. Processes to ensure secure deletion takes place. Data Subject Access Request Anyone that the company holds personal data on is entitled to request details of any records held about them. What information is an individual entitled to? Subject access is most often used by individuals who want to see a copy of the information an organisation holds about them. However, subject access goes further than this and an individual is entitled to be: told whether any personal data is being processed; given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people; given a copy of the personal data; and given details of the source of the data (where this is available). An individual can also request information about the reasoning behind any automated decisions taken about him or her, such as a computer-generated decision to grant or deny credit, or an assessment of performance at work (except where this information is a trade secret). Subject access provides a right for the requester to see their own personal data, rather than a right to see copies of documents that contain their personal data. Often, the easiest way to provide the relevant information is to supply copies of original documents, but you are not obliged to do this. What is the time limit for responding? In most cases you must respond to a subject access request promptly and in any event within 40 calendar days of receiving it.

5 Is any information exempt from subject access? Some types of personal data are exempt from the right of subject access and so cannot be obtained by making a Subject Access Request (SAR). Information may be exempt because of its nature or because of the effect its disclosure is likely to have. There are also some restrictions on disclosing information in response to a Subject Access Request where this would involve disclosing information about another individual, for example. Does a SAR have to be in a particular format? A Subject Access Request simply needs to be made in writing and, if you require payment of a fee for dealing with the request, to be accompanied by the fee. You may not insist on the use of a particular form for making a Subject Access Request, but making a form available may assist the requester to provide the information you need to deal with their request. How much is the fee? Unless a Subject Access Request relates to one of a small number of special categories of information, the maximum fee you can charge for dealing with it is 10. This fee is set by the Information Commissioner s Office. Different fee limits apply where the request concerns health or educational records or credit files. Data Breaches Keep a log of personal data breaches Records must be kept of all personal data breaches in an inventory or log. It must contain: 1. the facts surrounding the breach; 2. the effects of that breach; and 3. remedial action that is taken. When to notify breaches to the ICO The Information Commissioner must be informed of any personal data breaches within 24 hours of the company becoming aware of the facts of the breach. This notification must include at least: your name and contact details the date and time of the breach (or an estimate) the date and time you detected it basic information about the type of breach basic information about the personal data concerned If possible, you should also include full details of the incident, the number of individuals

6 affected and the possible effect on them, measures taken to mitigate those effects and information about your notification to customers. You must submit a second notification form to the Information Commissioner within three days, either including these details, or telling us how much longer it will take you to get them. Failure to comply with the requirement to submit breach notifications can incur a 1,000 fine. Notifying breaches to your subscribers You may also need to tell any subscribers or users of the website. If the breach is likely to adversely affect their personal data or privacy you need to, without unnecessary delay, notify them of the breach. You need to tell them: your name and contact details the estimated date of the breach a summary of the incident the nature and content of the personal data likely effect on the individual any measures you have taken to address the breach how they can mitigate any possible adverse impact of the breach You do not need to tell subscribers about a breach if you can demonstrate that the data was encrypted. Laptops and PC s Security 1. Install a firewall and virus-checking on your computers. 2. Make sure that your operating system is set up to receive automatic updates. 3. Protect your computer by downloading the latest patches or security updates, which should cover vulnerabilities. 4. Only allow your staff access to the information they need to do their job and don t let them share passwords. 5. Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen. 6. Take regular back-ups of the information on your computer system and keep them in a separate place so that if you lose your computers, you don t lose the information. 7. Securely remove all personal information before disposing of old computers (by using technology or destroying the hard disk). 8. Consider installing an anti-spyware tool. Spyware is the generic name given to programs that are designed to secretly monitor your activities on your computer. Spyware can be unwittingly installed within other file and program downloads, and their use is often malicious. They can capture passwords, banking credentials and credit card details, then relay them back to fraudsters. Anti-spyware helps to monitor and protect your computer from spyware threats, and it is often free to use and

7 update. Security 1. Consider whether the content of the should be encrypted or password protected. 2. When you start to type in the name of the recipient, some software will suggest similar addresses you have used before. If you have previously ed several people whose name or address starts the same way e.g. Dave - the autocomplete function may bring up several Dave s. Make sure you choose the right address before you click send. 3. If you want to send an to a recipient without revealing their address to other recipients, make sure you use blind carbon copy (bcc), not carbon copy (cc). When you use cc every recipient of the message will be able to see the address it was sent to. 4. Be careful when using a group address. Check who is in the group and make sure you really want to send your message to everyone. 5. If you send a sensitive from a secure server to an insecure recipient, security will be threatened. You may need to check that the recipient s arrangements are secure enough before sending your message. Other Security Measures 1. Shred all confidential paper waste. 2. Check the physical security of your premises. 3. Dispose of removable data storage and memory sticks in an approved way. Guard your phone, and set PINs and passwords Treat your mobile device as carefully as you would your bank cards. Take care when using your phone or laptop in public, and don t let it out of your possession. Thieves can quickly rack up huge bills on stolen phones, and you may be liable for all charges run up on your phone before you have reported it lost or stolen to your provider. To help prevent this happening, protect your mobile device against unauthorised use by setting up a PIN, swipe pattern, or password for your home screen. You can usually do this through the settings feature on your device. Encrypt all personal data records on portable devices All files containing personal data should be encrypted no matter what storage device is used including; memory sticks, discs, laptop memory, portable memory device etc. All laptops should have a password to allow access to the device, and consider a further password to protect any files containing personal data.

8 Take precautions in case your phone is lost or stolen Make a record of your phone s IMEI number, as well as the make and model number. The IMEI is a unique 15-digit serial number which you will need to give to your mobile operator to have your phone blocked. You can check your IMEI number by keying *#06# into your handset or by looking behind your phone battery. Consider making your phone less useful to potential thieves by barring calls to international numbers and premium rate lines, if you never use them. Some mobile insurance policies, or any other policies that may cover the mobile phone, could provide limited cover for unauthorised use. So it is worth checking the terms and conditions of your existing policy, and when considering a new policy. The national Mobile Phone Crime Unit s Immobilise database is a free registration service that assists the police in reuniting owners with their stolen smartphones. Contact us Prevention of Fraud in Travel (PROFiT) - Fraud Intelligence Network (FIN) -