#Privacy: Corporate billing cycle under remote working exposes huge risk to sensitive data

Now that major parts of the US are under stay-at-home orders, unprepared corporations face a huge data control problem as they go into their first major billing cycle carried out by employees working at home, according to the International Association of IT Asset Managers (IAITAM).

Thousands of U.S. companies are relying on employees untrained in doing their jobs from home and using untracked equipment on insecure Wi-Fi connections. Not only are these companies putting their own data at risk, but they are also exposing sensitive data about their clients. Less than two weeks ago, The International Association of IT Asset Managers (IAITAM) issued a warning to organizations and government agencies, urging them to consider “nightmare data risks” before moving to work-from-home arrangements.

Dr. Barbara Rembiesa, president and CEO of IAITAM, said: “Many companies were caught unprepared when cities and states issued mandatory stay-at-home rules.

“Now, the rubber is going to meet the road when those companies, which are struggling not to be crippled by COVID-19, try to keep the cash flowing by having employees at home call or email for credit card information, print out invoices on untracked home computers and send them out on personal Wi-Fi networks. This opens up the potential for breaches and fraud on a scale never before seen.”

IAITAM is concerned that many employees will be ill-equipped on home computers and other BYOD (bring your own device) equipment to handle sensitive data such as credit card numbers, foreshadowing imminent breaches of personally identifiable information (PII). Ensuring that policies and procedures are in place and enforced (including on a remote basis) is imperative to protecting data and the integrity of an organization.

Billing information always contains PPI, which is subject to data privacy regulations. It is important to ensure that assets used at home are abiding by internal policies and external regulations that govern billing information.

For instance, Payment Card Industry (PCI) Data Security Standard compliance dictates that companies cannot track credit card numbers or duplicate them without appropriate masking. Under these terms, printing an invoice or taking a credit card payment over the phone, and writing it down without redacting full account numbers, could be considered a data breach.

Industry regulations for sectors such as education, finance or healthcare have separate considerations. Additionally, all businesses that handle data from European citizens are subject to GDPR enforcement and hefty non-compliance fines. It is advisable to consult with an experienced IT Asset Management professional, who can appropriately determine which data regulatory guidelines are at work and how to apply them properly.

Rembiesa added: “It is no longer business as usual. ‘Stay-at-home’ orders ensure that secure payments and billing procedures are nearly impossible. Remote employees are not trained on data privacy regulation and risk exposing sensitive information to a data breach.

“Without proper IT Asset Management, there are major dangers that must be mitigated. It is not too late for CEOs and others in charge of companies to take steps to get these risks under control and to protect their data and that of their customers.”


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/