Our customer was storing all their customer’s PII unencrypted in production databases, which were used by front line sales and customer service functions.
Unauthorized access, by either an insider or outsider, to customer data could occur, thus requiring a public disclosure of the data breach. By not encrypting customer PII in storage they exposed themselves to financial and reputation risk due to data breach notification. They were also exposing their customers to identify theft and possible fraud, which would damage their brand.
Establish mechanisms in development, test, and QA to encrypt sensitive customer data in their databases. Also, demonstrate due diligence on the part of the organization when acting as stewards of customer data.
Once concluded, the project brought them into closer alignment with their own corporate information security policies and due diligence expectations. It also allowed for certain exemptions under state breach notification laws.