It seems we can’t go a week without hearing about a data breach, password leaks, or software vulnerabilities.
The recent Equifax data breach leaves potentially half of the American population’s Social Security Numbers and identity at risk of compromise. Some other notables in recent years are Apple’s iCloud leaks and hacks, and Yahoo having major breaches in Q3 and Q4 last year–the latter which resulted in exposing over 1 billion accounts’ passwords and security questions.
Leaks of your sensitive personal information from the Goliath corporations are the ones that make the news, but that’s only a part of the equation. To put it frankly, any piece of data (such as media, images, and text) that you share with a third party is subject to being hacked, leaked, stolen, and otherwise exploited.
To accomplish everyday business operations, it is inevitable that such data is transmitted and stored with third party organizations offering such services as file sharing, machine learning, transcription, data analysis, and marketing.
As members of a civilized, modern, technologically advanced society, we have a vested interest in and a moral obligation to protect our private personal information, and that of our company, our customers, and all parties involved.
Sharing any personal or sensitive data with any other party has inherent risk. We’re not going to cover the basics that are regurgitated everywhere after a big breach hits the news. Instead, here are some often overlooked ways you can help mitigate that risk.
Disclaimer. The materials and opinions on this post are for informational purposes only and not for the purpose of providing legal advice or advice regarding information security.
1. Limit the Exposure
There is exactly one way to ensure your private data is safe in the hands of a third party, and that is to not hand it over.
This may sound like a contradiction, but it is the principal way you can protect yourself.
Share only what is necessary. If you don’t need to send a third party a piece of data to accomplish what you set out to do, don’t send it. This one is easy.
For the ambitious company or individual, the most sensitive data can even be processed only in-house, but this is potentially costly and invasive to core operations.
If only a portion of a document or media is sensitive, it is prudent to protect yourself through omission or redaction. By removing, blanking, or otherwise obfuscating any sensitive information before sharing with another party you can limit the risk of exposure if the data is compromised.
For example, if you are sending a recorded insurance interview to a transcription company, you can guarantee they will not leak any personal information about your clients if that information is muted or “beeped” out prior to sending the audio.
We understand that business requirements or other limitations may prevent this from being practical, but there are other things you can do to limit the risk of exposure.
2. Be Selective
For many types of services there are so many options that it can seem overwhelming to select a company to provide a service for you. The good news is with many options, you’re more likely to find one that fits your business needs.
There is pretty much one universal understanding across cultures and industries; a lot of us even try to teach it to our loved ones. Nothing is cheap, fast, and of quality, and you should be wary of any one who promises all three.
At Speechpad, “quality” is something that goes deeper than the quality of our service and deliverables. We strive for quality in all aspects of business, even our commitment to security.
3. Understand How Your Data is Handled
Unbelievably, some companies (including some of our biggest competitors!) do not explicitly state how data is handled, used, or shared.
It is not uncommon for privacy policies and other legal documents to only cover the basics such as personal information (such as your email, password, address, and payment information) and behavior (tracking cookies, aggregate data). Incredibly, these companies sometimes fall short on outlining how your media, text and other data is handled, used, and shared.
Look for prominently featured documents (i.e. linked to in the site footer) and make sure they are clearly tailored to the specific company and how all data is handled to accomplish its business operations. That is indicative of a company that takes these things seriously at all levels, and doesn’t just throw some “must have” documents to placate users and the legal department.
4. Open Up a Dialogue
To better understand how seriously a company takes its role in protecting your data, you should be able to get in touch with someone in support who can connect you with more information. You’re looking to spend money or establish a business relationship so this should apply at pretty much any level: from the mom-and-pops to the Googles and Amazons of the world.
For companies of all sizes, you can probably expect a fairly boilerplate initial response with additional resources. However, pay attention to whether or not the provided material answers your questions or how willing the company is to engage in discussion.
For small to medium-sized companies (and larger ones with stellar customer support), it should be no problem to be connected with someone who can coherently talk about security and privacy and answer your questions.
The key here is to look for some level of transparency and assess the company’s self-awareness when it comes to their own security practices.
5. Look for Evidence of Proper Data Handling
Be careful not to draw your own conclusions based on available marketing hype. Cut through the sales and marketing materials, legal documents and company promises and look for evidence that the company has the right experience and actually knows what it’s doing when it comes to security and data.
Be wary of certifications and claims of compliance plastered across a website. Rules (such as those specified by HIPAA, PCI, and other laws) can be somewhat flexible. In many cases, a level of “compliance” is just a claim made by the company and requires no external auditing or seal of approval. Similarly, enforcement of such rules at all levels (across organizations and use of data) is impractical or impossible.
Lastly, just because a company lists a major health institution as a customer does not mean it’s handling protected health information, nor does it mean that the company is HIPAA compliant. For example, a hospital may use a transcription service or caption company for training or marketing materials, or for increasing accessibility.
If you have a case that requires special consideration, look or ask for case studies or examples of use cases where the company has worked with other customers to meet or exceed their privacy and security requirements. If a company claims compliance with a certain set of guidelines or laws, it should be able to produce documentation describing the operational and technical policies and procedures (including audit mechanisms) that allows it to make such a claim.
I thought you were following along! By now you should be able to see how we all can play a role in the protection of our own personal data, and that of our customers and users, especially when it comes to sharing data with other organizations.
The cheat sheet takeaways when deciding who to share data with are:
- Be choosy about what data you share and with whom you share them.
- Keep a keen eye out for some baseline assurances that a company (as a whole) values privacy and data security.
- Contact a company for assurances, to get a deeper understanding of their security practices, or if you require a certain level of compliance.
We’re always striving to serve our customers better. We invite you to connect with us if you have any questions or feedback about Speechpad’s security and privacy practices.
Keep your head up and share safely!