Do you really know who's guarding your data? With the Application Service Provider model coming of age, it has become quite popular for the small business sector to use third parties to manage their data. Take for instance, automotive dealerships. Sometimes unbeknownst to them, they are bound by the Gramm-Leach-Bliley act. Now, the general intent of the act is not for consumer protection, but there is a consumer protection section to the act. In essence, it dictates that the protected, personally identifiable information that is provided for auto loans must be protected. Personally identifiable information can be anything from a social security number to a mailing address. These dealerships take the credit information from the customers as necessary, provide that data to financing partners, and sometimes even third part Customer Relationship Management (CRM) companies.

What IS compliance?

Compliance? First, you need to start with understanding the information security parts of the law. In a nutshell, it states that you have been trusted with sensitive information that can be used to identify your customer. Protect that information, or you can be found liable. In fact, the officers can be found PERSONALLY liable for US$ 10 000 per offense, and the institution itself can be found liable for not more than US$ 100 000 per offense. Now that I have your attention…what measures do you go to in order to protect your customers data? As it stands right now, the burden of proof is just what is “reasonable”. However, the definition of reasonable can change from year to year. Do you ensure that all of your external communications are sent over encrypted communication tunnels? Can you disable your accounts immediately upon an individual’s separation from the company? If you use a third party may be interested to know that you are responsible for their handling of your customers’ data. That is, unless you have a binding agreement with them that they will handle your customer data in compliance with your security policies. In choosing to do business with you, your customers have chosen to entrust you with their identity. Information that, improperly disclosed, could be used to harass your customers, or even steal their identity. To do anything but protect that information like it was your own, would be disingenuous.