My wife and I went shopping for furniture this weekend. After isolating for months, it was a pleasure to be outside and doing something seemingly “normal.” When we entered the furniture store, we were met by a salesperson with a tablet in hand. As we worked with her, I realized how exposed my personal information was in this chain of stores.
The store’s business practice
The Chain’s goal is to provide a personalized experience to their returning customers. Using the tablets to provide access to previous transactions and notes helps the salesperson “know” the customer.
Each salesperson grabs a tablet at the start of their day, logs into the tablet, and then logs into their customer relationship management system (or “CRM”) The salesperson does not log out of the CRM until the end of their day so the only electronic protection to customer data is the timeout and password on the tablet.
Tablets are not assigned to individual salespeople. The Chain wanted a way to provide access to each tablet that did not significantly impact the salesperson’s activities. Low business impact is a requirement that all privacy professionals should keep in mind when preparing new policies and procedures.
I can think of many approaches the Chain could use to meet this requirement. The one the Chain selected was to assign the same password on each tablet. The selected password: “1111.”
The tablet is meant to serve as a shared platform between the salesperson and the customer. Each time the tablet was shared with me, the password had to be entered, and entering “1111” was simply obvious. There was no attempt to hide the password from me.
The salesperson demonstrated, using the records for my wife and me, how much personal information was available. This included addresses, phone numbers, emails, purchases, customer service interactions, and internal notes.
I actually reacted physically when I learned the password. Using “1111” as a password is right up there for me with “password,” “qwerty,” “123456,” and “kal-el.” I explained to our salesperson that if a tablet in use was picked up by someone unauthorized, then all of the personal information contained in the CRM would become exposed. The response: “That will never happen.” (Sound familiar?)
What could improve this approach
Providing passwords to shared electronic platforms for use by group members is not unique to tablets. There are several alternative approaches that can be considered when you are faced with this situation. Many of these solutions could require the purchase of additional devices (tablets in this case) or coming up with another approach to authentication.
Relatively simple approaches have nothing to do with the tablet, but with the underlying CRM application. I would advocate two approaches that greatly enhance privacy.
I suggest that requiring the salesperson to re-login when changing customers in the CRM would limit exposure of personal information to that of one customer if the tablet was lost or misplaced. An example might be a salesperson working with a customer who has an emergency and leaves the tablet on a table while running off to take a phone call. Left alone the customer could look at their own record on the tablet if it was the current one displayed from the CRM. However, if they wanted to look up a neighbor, they couldn’t without a valid login from a salesperson.
Additionally, security would be greatly enhanced by simply establishing a standard timeout period for the application after which a re-login is required. This is always a good practice for a device or application that may be externally facing.
Defense in Depth
The two suggestions provide a simple example of how to apply Defense in Depth. Defense in Depth recognizes that different intensities of security controls can be used as you get closer and closer to the data.
Today, the Chain exercises three levels of defense:
- Obtaining a tablet – this is a physical control as the tablets are kept in a back room with access limited to employees.
- Accessing the tablet – the “1111” password provides a level of defense, albeit weak.
- Accessing the CRM – limits access to customer information to those who need the information to do their jobs.
When initially looking at the Chain’s situation, the weak tablet password approach leaps out as a place for improvement. However, by analyzing the overall structure of controls, making modifications to the CRM application itself will provide enhanced security with the most minimal disruption to business operations.