Take Steps to Secure Customer Data
Happy New Year, and welcome back to the second edition of Ask Kevin Anything (AKA), the monthly parking technology advice column. If you missed the first edition of AKA in last month’s Parking Today, I encourage you to read it for more background information about this column. I appreciate everyone who sent in their questions last month. Please keep them coming! This month we have an interesting question about the data security of parking systems.
I have heard about data breaches and hacks in other industries, but never in parking. As the Director of Parking for a mid-sized operation, should I be worried about the data security of my parking systems?
Concerned in Columbus
Dear Concerned in Columbus,
Thank you for your excellent question. The simple answer is: yes. The security of your parking systems is now, and frankly, should have always been, one of your high-level concerns. Similar to other systems in your operation that oversee items of value, such as cash, credit cards, physical permits, etc. you must put in place policies and procedures to keep them secured.
Furthermore, much like these systems, you should also know that at the end of the day, there might still be theft, but your procedural safeguards in place should detect, limit, report, and recover from that theft. There have been several breaches of parking systems over the years. Due to the relatively small size of the industry and advertising power of vendors, most of the breaches have been kept quiet. However, just because you haven’t heard of them doesn’t mean they haven’t happened.
While it might seem obvious, parking data can be valuable, and the value of that data is directly related to how that data can be used. Parking systems hold a surprising amount of data about your operation and customers. Depending on the parking system, it could contain any of the following types of customer data, including Name, Address, Vehicle, Financial, Employment, Parking Location History, Parking Permit Usage History, and Infraction History, to name a few.
Depending on your situation, some of this data could be protected by local, state, and federal laws. A few of the higher-profile laws include.
GDPR- General Data Protection Regulation (European Union)
CCPA- California Consumer Privacy Act (State of California)
FERPA- Family Educational Rights and Privacy Act (Higher Education)
HIPPA- Health Insurance Portability and Accountability Act (Medical)
Additionally, every state in the United States has laws around customer notification and protection when a data breach occurs. These laws vary from state to state and country to country, and the person on your team responsible for legal compliance should investigate your local requirements and analyze risk levels. Additionally, some of these laws, such as GDPR, can affect your operation if you are serving a particular country’s citizens even if you are not operating in that country.
Quite a few items go into keeping your data safe, but here is a short checklist to ask your IT team and solution vendors.
1- How is the data encrypted? Encryption converts your data into a form unreadable to unauthorized users. Data can be encrypted both when “transmitted,” such as being sent to an app, and “at rest” when being stored in a database. Ideally, your system should encrypt data both when transmitted and at rest.
2- How is the data hosted? As discussed in more depth last month, data can be hosted locally or remotely. Additionally, it can be stored in a database dedicated to your operation, called single-tenant; or in a database with multiple operations, called multi-tenant. Both approaches offer advantages and disadvantages. Related to data security, if your system is multi-tenant this means your data is in the same overall database as other customers, and if another customer has a data breach, it could have an impact on your data, as well. Especially, if the data is not encrypted “at rest” in the database.
13- What are the data security policies, procedures, and audit results? Data security should be a key focus of your vendor, and as such, they should be able to provide you with their policies and procedures around data security. These should cover not only the hosting of your data, but also how the software is designed, built, and tested. Additionally, these companies and their hosting providers should be performing regular security audits of both the hosting systems and the software running on those systems. They should be able to provide you with the results of those regular audits.
3- Do they carry cybersecurity insurance, and what is the coverage? All of your technology vendors should carry cybersecurity insurance with limits high enough to cover the costs of government-mandated user notification, credit monitoring, and other corrective actions. Ensure this coverage actually covers your operation and not just the vendor.
4- Have they or one of their customers had a data breach in the last 18 months? If a breach has occurred, you will want details about what caused the breach and what has been done to improve security going forward.
Data security for your parking operation is similar to physical security for your home. You take steps to keep your house safe, live in an area with a low crime rate, lock your door, get an alarm system, and maybe even keep your precious items a home safe. Then you have insurance in case something unexpected happens. For your parking operation, select technology solutions that are designed for security, make data security awareness part of your culture, incorporate regular organizational reviews of your systems, maintain correct levels of cybersecurity insurance, and then relax knowing you have mitigated the risks as much as possible.
Just as you cannot stop a determined person from breaking into your house, there is no such thing as a 100 percent safe computer system. But like your house, this fact should not stop you from taking the necessary steps to secure your systems. Kevin
If you have a parking technology question, please send it to me at firstname.lastname@example.org.