Treat all sensitive data like it’s your own. Encrypt or hash anything truly sensitive. Hash passwords, or tokens used for access. Hash or encrypt SSNs usually you don’t want to return SSNs and only want the app to exactly match a record based on full entry of a SSN the user already knows. Failure to protect highly sensitive data will result in easier theft of data and a bigger problem for you at the end of the day.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Pieter VanIperen who currently runs a boutique group of industry leaders and influencers from the digital tech, security and design industries. Prior to that he has done everything from coding to secure software architecture to holding executive level titles at Fortune 500 companies. He has worked with law enforcement, medical facilities, government agencies and NGOs. Pieter is a certified ethical hacker as well as a professor at NYU where he teaches secure coding for coders, as well as the author of the HAZL (jADE) programming language. He also volunteers his consulting services to local healthcare and law enforcement agencies.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Growing up I was always interested in building and creating things. I would take household items and put them together to create the toys we couldn’t afford. My parents thought it was inventive and took photos. My parents fell on hard times when I was young so any additional education outside of school was not afforded. I spent a lot of time at the library and a lot of time teaching myself things. I had a diverse interest in subjects, so there was never a shortage of material to learn.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
There’s not really an inspirational story here, more of a path to a path. I was in an advanced learning program as a kid, and part of what we did there was learning to program and draw logos using LogoWriter. Something about the process clicked in my head, while others were drawing basic pictures, I programmed an entire animated space scene. I had already dabbled with a Tandy, which was sent to my sister and I from my uncle who was big on gadgets, and was learning I had a knack for it. This is probably one of the first memories I have where I felt programming click.
Can you share the most interesting story that happened to you since you began your career?
The most interesting, it’s tough to choose. I’ve taken a lot of left and right turns in my career, actively fighting what was a very natural career path, and still wound up here. Those different paths and diverse experiences are part of what makes me successful today, though. I may have taken the twisty-turny-rocky way to get here, but I learned a lot along the way. Every experience you endure shapes who you are, how you look at and solve problems, the perspective from which you see the world. And you often find yourself drawing on some seemingly unrelated experience to find the answer to a specific challenge later in life. So the long-winded answer is that people will experience many things in life, some more interesting than others, but all of them impact us and teach us in some way.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I have had a few mentors over the years, but, really, I have to give a lot of credit to my wife. Being an entrepreneur, working in tech and security and learning through failing and pivoting can take a toll. Not just on me, but on her as well. When you have someone behind you like that, it makes all the difference in the world when you get home.
Are you working on any exciting new projects now? How do you think that will help people?
We are lucky to have a very diverse client list which allows us to be involved in many efforts that help people. Whether it’s predicting water levels around the world, securing software for education grants, helping businesses get loans to build homes or helping consumers find products that align with their beliefs. We are blessed with many opportunities that allow us to have a direct positive impact on the world with our work.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Take scheduled breaks and make sure there’s time to rest. Understand that you are only one person, there’s only so much time in the day, and you are less productive the more tired you are. Taking scheduled breaks every 2 hours to stretch your legs for 15 minutes not only helps blood flow, but it also helps keep your head clear and stay focused on tasks.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
The bottom line is you are probably on the hook legally. Compliance has sprawled from focused areas around banking, credit cards, and medical information to PII to really any and all non-anonymized information. If you take payments, or even just store emails and names, you are potentially on the hook for GDPR or CCPA. Compliance jurisdiction often follows your users, not your venue. So if you have someone who is a citizen of an EU nation using your site, or someone who lives in California or New York, the compliance regulations are different. It is nearly impossible to block out compliance liability through avoidance, at this point. Even if you manage to successfully avoid compliance liability, you will still be on the hook for lawsuits if there is a breach or leak.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
That is like asking if minefields should be left lying around. When data is no longer needed for legal purposes and it is not needed for any business functions or the customer is not active, data should be destroyed. Active customers include those who receive email promotions and newsletters/direct mail, app users, those who use specific services offered by the business, business partners, etc. Non-active customers include those who do not receive marketing email/direct mail, those who are not purchasing or utilizing any services, products or applications for a predetermined period of time. That time period should be determined by lawyers familiar with compliance and legal requirements of specific business industries.
In the face of this changing landscape, how has your data retention policy evolved over the years?
The technology landscape is always changing. Let’s discuss what we recommend to our clients for data retention. Data accumulation and retention has run through a cycle. First it was about collecting data, then it was amassing as much data as possible. This amassed information is used for personalized experiences on websites, ads tailored to what you regularly search, etc. Those things are still true, but there have been a lot of regulations and loss of data due to leaks.
Now, instead of amassing all of this data, we recommend tracking behaviors and not identifying information. This not only protects the customer, but the business as well. It gives the business the information it needs to note trends and user experiences, but there’s nothing sensitive attached to it. We also recommend our clients not collect unnecessary information, especially when it’s information that would be dangerous to the customer or the business if leaked. If you don’t need it, get rid of it, and stop taking it in the first place. Lastly, retire data. Get rid of old data and any data that you may need for historical analysis or compliance should be archived securely — meaning away from the internet.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
I can tell you what we tell our clients:
-Data should be stored and retained for the minimum amount of time it is needed for compliance and business purposes. Once it’s no longer needed, it should be retired, destroyed or archived securely.
-Data should always be encrypted at rest and sensitive information should be hashed or client-side encrypted.
-Any data that is not necessary to store should not be stored.
-In general, anything that is subject to compliance should always have a justification and audit trail for storage, how it is surfaced in an application and when it is removed. Compliance bodies require documentation, especially if kept data is outside typical time frames.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
There are several pieces of legislation to consider, CCPA, NY Shield, GDPR and a variety of other regulations are popping up around the world and in the US. Generally, we recommend our clients to adhere to a set of data standards that overlap between GDPR, PCI and HIPAA. These are the three strictest policy bodies, so sticking to these puts clients in a good future-facing position, limits liability if there is a leak or hack, and generally teaches clients good data hygiene. The only time clients can deviate from this plan is if absolutely necessary for their business and if compliance is not actually necessary in that instance.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
Most data retention policies can be handled with simple, native database tasks or storage configuration. Implementation is relatively uncomplicated in well-designed systems. There are tools out there, but we generally recommend our clients instead invest funds into cleaning up poorly designed systems. Unless the only way forward is to purchase a tool, it is more cost-effective to use existing native software jobs and settings that are more reliable than a tool.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
No. We always stress to our customers that there should be backups for all mission-critical functions that are essential to keep the business running, even if it’s pen and paper. Cloud outages are not frequent, for one thing, but it is important that people know that every piece of technology has a point of failure. Things break and it’s no one’s fault. Having proper backups in place to keep business running is imperative. The information stored on the cloud is protected by so many backups that there’s no reason to change how information is stored.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
- Don’t ask for it if you don’t need it. If you’re running a contest, you don’t need entrants’ social security numbers when they submit an entry even if you need it later for the prize to be accepted. It should not be part of the entry form.
- Don’t store it unless you have to. Companies are breached and attacked all the time, the more information you have, the more that can be leaked and the bigger the fine will be. If you don’t need it, don’t take it. If you need it now, but you don’t need it later, don’t store it.
- Treat all sensitive data like it’s your own. Encrypt or hash anything truly sensitive. Hash passwords, or tokens used for access. Hash or encrypt SSNs usually you don’t want to return SSNs and only want the app to exactly match a record based on full entry of a SSN the user already knows. Failure to protect highly sensitive data will result in easier theft of data and a bigger problem for you at the end of the day.
- Use proper IAM controls. Access is often more important than storage itself. Your cleaning crew doesn’t need access to your data storage solution. Your HR department doesn’t need access to Accounting. Limiting access limits the surface area an attacker has to utilize.
- Always have control of your data. Don’t forget the I and A in CIA, data must have integrity and be available when needed. Employ proper backups and restoration methods. Know what is being deleted, whether it’s intentional or not, and put prevention controls in place for unintentional attempts. Know when data is tampered with, use hashing, encryption, versioning, know when the last update was, etc.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I’m a firm believer in adopting a system of transparency in the work that you do. In short, we all need to accept that often the reality of a situation is just that — the reality. Project management and software development need to adhere to and respect the same reality in which we all live. I’ve gone to great lengths to stop pretending like projects can deviate from our own human nature, including creating my own system of transparency as it pertains to software production called Radical Production Transparency, or RPT. So, if I could change the way my industry operates, I would ask people to stop qualifying and sugar coating complexities and start respecting them enough to tackle them openly and plainly.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!