How to Protect Customer Data and Information

Topics: AmTrust News Cyber Liability Risk Management

Data breaches can take place on both a large and small scale, but most people are probably more familiar with the bigger incidents. The Equifax data breach was all over the news in 2017, when cybercriminals accessed around 145.5 million customer records, obtaining personal information like birth dates, addresses, driver’s license numbers and social security numbers. 2018 brought the Marriott Starwood data breach, when hackers accessed the guest reservation database to expose the personal information of up to 500 million people. As recently as March 2019, software giant Citrix fell victim to a cybersecurity attack, where international cybercriminals were able to access over six terabytes of sensitive data stored on their network.

In lieu of these stories and others like them, you may be wondering: is my customer data secure? What else can I do to protect it? Learn ways you can help improve your data security and how to better protect your customers' data.

Data Classification: Understanding Data to Prevent Cybersecurity Attacks and Breaches

protecting customer data

There is no guarantee that your organization will never experience a data breach. The good news is there are steps you can take to help reduce the cost if a breach does occur. The best way to mitigate the cost of a breach is to be prepared: secure the business, get a plan in place, and make sure everyone knows their role in preventing and responding to a breach.

It’s important to remember that all data poses a risk to a business. Classifying the data to understand the level of protection it requires is a key security control, and it is the first step in building an effective security policy.

Organizations can use the “5 Ws” to classify data. These are questions commonly used for gathering information by journalism professionals or in police investigations – what, who, where, when and why questions that help get the complete story on a subject.


What is the classification of the data? Is it critical, sensitive, regulated, or needed by a third party?


Who created the data? An employee, a system, a customer, or unknown?


Where is the data stored? Is it in one place, in many places, the right/wrong place, or a safe place where it’s protected?


When was the data created? Is still necessary, does it need to be “live,” or can it be archived? Why Why is the data necessary? Due to regulation, history, nostalgia, paranoia, or just out of habit?

Answering these questions can help classify the data as:
  • Highly sensitive or regulated data: This type of data could seriously and adversely impact the organization’s business partners, vendors and customers in both the short and long term. It could include information like credit card transactions data, customer names and addresses, passwords, employee payroll files and social security numbers.
  • Medium sensitivity: Information such as internal audit and financial reports, partnership agreements, marketing plans and employee performance evaluations is data that is meant to be private within the organization.
  • Low sensitivity: Although this data may be available to a wide audience, it is still generally only accessible within the organization. Sharing it outside the organization might violate policy, but the data itself shouldn’t have much of an impact on the employees, partners or vendors.

Protecting Your Data – and Your Client's Data, Too

One of the best ways to protect your data and guard against cyber exposure is to make sure there aren’t any cyber exposures undefended. To do that, we recommend regularly completing a Cyber Security Risk Assessment. During this analysis of the client’s cyber risks, consider the following:

Employee Training

All employees should be trained on the importance and methods of data security. Both physical and digital records should be safeguarded at all times, and confidential information about clients, employees or corporate affairs should always remain secured.

Data Quality

Old data should be properly archived or deleted based on local and federal laws, and company policies. A data breach can result in litigation.

Data Encryption

All data, whether on a personal device, computer, or server should be protected by proper encryption. Companies in many states can benefit from safe harbor exemptions that only apply if the company can prove the data was encrypted before a breach.

Data Prevention Preparation

While having a good procedure in place is a great way to prepare for a cyber security breach, an untested procedure could have many flaws. Practicing the data breach response plan offers the opportunity to uncover and plug any holes in the plan before there’s an actual data breach.

Common Warning Signs of a Cybersecurity Attack

Another way to stay protected from a data breach is to understand their common warning signs and the things your organization can do to remain secure. These include:

Monitor Unusual Behavior

If a program acts up, it could simply be a software or hardware malfunction, but it could be something much worse. Check the system for other irregularities.

Investigate Suspicious Files

If malware is detected, or a user reports opening a suspicious file, don't take any chances. Assume that the malware has infected something, and don't stop investigating until you find out what, if anything, was breached.

Review System Communication

Regularly review communication patterns on the network. If an employee’s computer is accessing other workstations or transmitting large amounts of data to somewhere outside of the network, this could be a sign of a compromise.

Run Scans

Keep anti-virus and anti-malware programs up-to-date. Also, run vulnerability programs to look for missing patches and other security risks.

Check Your Credit

Customer information isn’t the only confidential data on the server. Chances are, there's plenty of information about your company on there, too. Changes in your credit rating could be an indication of fraud.

Protect Your Organization with Cyber Liability Insurance

cyber liability insurance policy from AmTrust can help safeguard your company against loss and damage in a cyber attack. Contact an AmTrust agent today to find out how you can benefit from a policy, and how to protect your organization from cyber security attacks and other data breach threats.

This material is for informational purposes only and is not legal or business advice. Neither AmTrust Financial Services, Inc. nor any of its subsidiaries or affiliates represents or warrants that the information contained herein is appropriate or suitable for any specific business or legal purpose. Readers seeking resolution of specific questions should consult their business and/or legal advisors. Coverages may vary by location. Contact your local RSM for more information.

Time Zones