#Privacy: Corporate billing cycle under remote working exposes huge risk to sensitive data

Now that major parts of the US are under stay-at-home orders, unprepared corporations face a huge data control problem as they go into their first major billing cycle carried out by employees working at home, according to the International Association of IT Asset Managers (IAITAM).

Thousands of U.S. companies are relying on employees untrained in doing their jobs from home and using untracked equipment on insecure Wi-Fi connections. Not only are these companies putting their own data at risk, but they are also exposing sensitive data about their clients. Less than two weeks ago, The International Association of IT Asset Managers (IAITAM) issued a warning to organizations and government agencies, urging them to consider “nightmare data risks” before moving to work-from-home arrangements.

Dr. Barbara Rembiesa, president and CEO of IAITAM, said: “Many companies were caught unprepared when cities and states issued mandatory stay-at-home rules.

“Now, the rubber is going to meet the road when those companies, which are struggling not to be crippled by COVID-19, try to keep the cash flowing by having employees at home call or email for credit card information, print out invoices on untracked home computers and send them out on personal Wi-Fi networks. This opens up the potential for breaches and fraud on a scale never before seen.”

IAITAM is concerned that many employees will be ill-equipped on home computers and other BYOD (bring your own device) equipment to handle sensitive data such as credit card numbers, foreshadowing imminent breaches of personally identifiable information (PII). Ensuring that policies and procedures are in place and enforced (including on a remote basis) is imperative to protecting data and the integrity of an organization.

Billing information always contains PPI, which is subject to data privacy regulations. It is important to ensure that assets used at home are abiding by internal policies and external regulations that govern billing information.

For instance, Payment Card Industry (PCI) Data Security Standard compliance dictates that companies cannot track credit card numbers or duplicate them without appropriate masking. Under these terms, printing an invoice or taking a credit card payment over the phone, and writing it down without redacting full account numbers, could be considered a data breach.

Industry regulations for sectors such as education, finance or healthcare have separate considerations. Additionally, all businesses that handle data from European citizens are subject to GDPR enforcement and hefty non-compliance fines. It is advisable to consult with an experienced IT Asset Management professional, who can appropriately determine which data regulatory guidelines are at work and how to apply them properly.

Rembiesa added: “It is no longer business as usual. ‘Stay-at-home’ orders ensure that secure payments and billing procedures are nearly impossible. Remote employees are not trained on data privacy regulation and risk exposing sensitive information to a data breach.

“Without proper IT Asset Management, there are major dangers that must be mitigated. It is not too late for CEOs and others in charge of companies to take steps to get these risks under control and to protect their data and that of their customers.”


We’re now live at PrivSec Global!
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Register your virtual seat today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

Secure your seat

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.