Microsoft Windows Security Resource Kit

Protecting the Privacy of Your Customers and Business Partners

Customers want to feel comfortable when sharing their contact information with your company. When customers ask you how you will protect their personal data, you should be able to offer an answer that instills confidence in your company s ability to protect access to and use of their data. Showing customers your company s security and privacy policy in writing is the best way to set their minds at ease.

Storing Customer Data Securely

Security is a big part of protecting a customer s personal information. This book has already covered a number of security techniques; however, it will be helpful here to reiterate a few tips on using security to protect a user s data:

• Use physical security to protect the computers that hold sensitive data.

• Use encryption to protect the transfer of data between computer systems and to store data.

• Set the appropriate level of application and file security to prevent unwanted access to information.

• Use the principle of least privilege. In other words, all users and administrators should receive only those network permissions and rights they need to do their job.

Collecting Customer Data and Privacy Preferences

When collecting contact information from your customers, you should offer them a way to enter their privacy preferences. Web sites should include privacy settings on the same form where their data is collected. If your customers are sending their information to you via e-mail, provide them with a template to fill out that includes privacy fields or send them such a template in an acknowledgment e-mail message. Mark a customer s record as incomplete until you receive his response, or set his preferences to the most restrictive values by default. A customer s privacy preferences should be stored along with his contact information. When sending customer contact information to another group with your company or to a third party, include the customer s privacy preferences.

Controlling the Handling of Customer Data

Your customers privacy preferences will be useless unless you have a policy in place to help your employees understand the guidelines for handling customer information. As part of your company s new employee orientation, you should train employees on the proper handling of customer data.

Applications that collect data from customers should have a privacy menu that points to the company s privacy policy. The first time that the application is run, customers should be forced to accept the terms of the privacy policy. Furthermore, before employees can access customer data via the company s intranet, those employees should be required to read a privacy policy page and accept its conditions.