Could test data be the chink in your privacy armour?

Never before have European organisations been under such vicious, and enduring, security attacks. Hacking, phishing, identity theft, spyware, unauthorised data access and so on – these threats are appearing in ever more sophisticated forms. With the number of consumer transactions at an all-time high, the question of how best to protect customer data has shot up the priority list.  We’ve all seen the headlines, and the one thing that we can all be sure of is that no one is immune.

As well as being duty-bound to keep partner and customer data secure, businesses are liable for any damage caused or financial ramifications that may ensue should confidential data fall into the wrong hands. Safeguarding data effectively is also beginning to translate into competitive advantage as customers become more concerned about identity theft.

Many organisations across the EU have struggled to comply with the EU Data Privacy Directive. Whilst many have now plugged the more obvious gaps in their data privacy strategies, they still have loopholes that could expose them to a data scandal.

One of the biggest of those loopholes concerns application testing. The problem is that applications are still being tested with live customer data. Such an approach is appealing to the extent that it provides the valid data required for thorough testing. Unfortunately, however, it directly contravenes data privacy regulations: using data in the testing environment usually means companies are using the information for a purpose other than that approved by the customer.

Testing with live data also makes the data vulnerable to attack. Applying data protection rules to the in-house testing environment is tough enough, but the problem is being compounded by the trend to outsource application development - and testing - outside the EU.

Naturally, companies will say they have measures in place to protect confidential data when testing, in-house or offshore. However, it has become evident that a determined fraudster, or rogue employee, can overcome even the most stringent of measures.

Protective measures do not, in any case, affect the central issue that it is illegal to use customer information in application testing. In addition, data privacy rules clearly state that whilst customer data can flow between member states without any further safeguards, it cannot be transferred outside the EU unless that country can provide similar levels of privacy protection. Countries such as Switzerland, Canada and the US are officially recognised as providing adequate safeguards for customer data, but most outsourcing is to countries that are not so recognised.

Many companies adopt a relatively simple solution – they blank out sensitive data in the testing environment. The trouble is that thorough application testing requires valid data. Desensitising data by blanking often results in a less than comprehensive test. In addition, from a security perspective blanking does not prevent illicit access to the information; it is simply vulnerable to misuse at an earlier stage, because the blanking process is normally under human control.

A better solution is to disguise the data.  By replacing sensitive values on the customer record, such as addresses, with other values (perhaps read from a file), customer data can be transformed into a form that is unrecognisable but still makes sense from a systems point of view; fields used for processing, such as the postcode, can be left intact.  Disguising of data can be automated, removing the human risk element entirely: until the data has been disguised, it is subject to the same security measures as any live data.

Disguising data helps companies to manage the risk of becoming entangled in a data privacy crisis, and avoid the catastrophic costs that such a crisis brings – and the adverse publicity. No one likes the sound of their customers walking across the road to a competitor, but if organisations don’t start taking responsibility for the use of data during testing (in-house or offshore), this sound could become a familiar one.

SUBSCRIBE
If you would like to start receiving a monthly issue of this e-newsletter please REGISTER HERE.