As if a global pandemic wasn’t scary enough, the FBI’s IC3 (Internet Crime Complaint Center) reported a 300% increase in cybercrime since the Covid pandemic began. While companies know the importance of prioritizing data security, data breaches unfortunately continue to make headlines. As businesses evaluate the technology vendors who will handle their data (or in Flatfile’s case their customer’s data) what should they be looking for? And what criteria should be included on the initial checklist for a data processor?
Data importers like Flatfile fall into the data processor category so in this post we’ll be addressing data processor security. What’s a data processor? By definition a data processor obtains, holds and processes data. Data processors usually process personal data, e.g. email addresses, social security numbers, phone numbers, etc. Due to the sensitive nature of personal data, there are strict legal obligations for data processors to follow or else some serious fines can be applied. There is often confusion in the area of data processor versus data controller. According to Article 4 of the EU GDPR (General Data Protection Regulation), a data controller is the entity (person, organization, etc.) that determines the why and the how for processing personal data. A data processor, on the other hand, is the entity that actually performs the data processing on the controller's behalf.
Laws such as the California Consumer Privacy Act have been enacted to enhance data privacy for consumers and many other states have followed suit to ensure consumers:
Know what personal data is being collected about them
Can access their personal data
Know whether their personal data is being sold and to whom
Can request a business delete any personal information about a consumer collected from that consumer
Not be discriminated against for exercising their privacy rights
Can say no to the sale of personal data
Below we’ll dive into the necessary data security criteria you should pay attention to while reviewing a data processor and more specifically, a data importer. This is by no means an exhaustive list and depending on the industry and the type of data, companies will have various requirements in how they use a data importer but here are key areas to start as you review a vendor.
1. Assess the risk: When researching the vendor you’re considering, take a look at the company’s history when it comes to data breaches. Have they had any? Has there been a breach and more importantly, how did they respond to and resolve the situation? This will help you better understand whether a company will take your data seriously.
2. The technical basics: There are certain basics that should be covered by the vendor such as data encryption. Does the company encrypt data both at rest and in transit? This is standard nowadays. In addition, application and network logging as well as access control to servers, cloud vendors, source control are all part of the basics which should be easily covered by your vendor.
3. A data security culture: It’s one thing to cover the technical basics of data security because it’s fairly straightforward. But when it comes to security breaches or incidents that have occured at a company, it typically involves a person and an error in judgement; which could be accidental or intentional and malicious. More commonly however, it is simply someone who isn't thinking and forwards an email with their credentials or uses the same simple password. While it’s a lot harder to evaluate, it’s important to understand the HR and people policies surrounding data security for the company you’re evaluating. Does the vendor have very clearly delineated policies that employees understand and put into practice? These people policies frequently get overlooked but if a vendor has data security embedded in their culture, that’s not only pretty rare (unfortunately) but impressive and a huge advantage for the vendor.
4. Compliance certifications: While some may feel that compliance certifications simply look like check marks on a vendor’s website, it’s crucial to see that the vendor is aware of their compliance obligations and is meeting them. Additionally it's important to understand what certifications they currently have and what certifications they are actively pursuing in an ongoing effort to keep customer data secure. This shows that the vendor is consistently working to become a more compliant organization. Important compliance efforts for a data processing vendor include GDPR compliance, and the CCPA, SOC2, and HIPAA.
5. Includes security as a standard product feature: While evaluating data importer products and vendors, be sure to get an understanding if security features come standard with the product or if these features are add-ons. Many companies will try and upsell certain privacy and security features, offering them as premium features. For example, the SSO Wall of Shame publishes a list of companies that charge for Single Sign-On, calling them out on upselling something that is a “core security requirement.” At the end of the day, protecting a customer’s data (and their customer’s data) should be ingrained in the product.
6. On-Premise deployment option: For certain highly regulated industries, it may be nearly impossible (despite all the compliance requirements being met) to store customer data anywhere other than in-house. While this option may not be necessary, it’s helpful to understand if the data importer can meet an on-prem requirement.
Additionally, here are some other helpful resources related to data protection laws and data processing security:
Sensitive data, aka customer data needs serious data protection to avoid a security incident such as a data breach. As your team evaluates a data importer like Flatfile Portal or Flatfile Concierge, be sure to review the above key areas as a security jumping off point before implementing a data importer for your customer data.