The Expert's View with Daniel Burks

Protecting Against 'Visual Hacking' Practical Steps for Protecting Customer Data
Protecting Against 'Visual Hacking'

It's no secret that a data breach can rock customers' trust and confidence in a company, let alone the company's bottom line. According to the TRUSTe 2014 U.S. Customer Confidence Privacy Report, 89 percent of consumers say they avoid companies they do not trust to protect their information.

See Also: Secure, Agile Mobile Banking: Keeping Pace with Last Best User Experience

As a privacy officer at a leading U.S. banking institution, I help our bank employees balance their need to use customer information to conduct business transactions with meeting and exceeding customer privacy expectations.

"The personal interactions our customers experience with us form much of their perception of trust." 

The personal interactions our customers experience with us form much of their perception of trust. How we handle their information in traditional interactions sets their perception of how they will be treated both in-person and online.

Customers respect companies that take extra measures - those they see and those they don't - to protect their information.

"Visual privacy," as I call it, protects customer information from visual hacking - a low-tech method used to visually capture sensitive, confidential and private information for unauthorized use. Visual hacking could be achieved when a worker's log-in credentials are seen by a malicious party and used to access sensitive information or by snapping a photo on a cell phone of confidential company spreadsheets or presentations. Companies should focus on these areas to maintain and even increase consumer trust.

After all, it only takes one piece of visually hacked confidential information - like an employee's log-in credentials written on a piece of paper left on a desk or seen on a screen - to launch a large-scale data breach of customer information.

Here are some key ways to protect your organization from so-called visual hacking:

  • Take into account what information absolutely needs to be collected, retained and displayed to employees. Only require customers to disclose information that is necessary to complete a transaction or appointment. This information should immediately be securely stored. Remove or redact sensitive information from the network or customer profile that is no longer needed, and then ensure secure destruction of that information.
  • Include visual privacy in company policies and standards. Standards should be actionable and define the steps employees should take to uphold visual privacy. Ensure that the language used in these policies and standards addresses visual hacking threats stemming from physical documents and confidential information that might be displayed on devices in public or open office settings.
  • Educate employees about good visual privacy practices, the threat of visual hacking and other low-tech attacks, and create an ongoing communication plan. Increase awareness of the threat of visual hacking by highlighting the issue and standards the company has in place to combat it. Implement different media, such as newsletters and awareness bulletins, for broader exposure. Include real-world examples for the most effective learning. Regularly train employees as the first line of defense to recognize and inform supervisors of behavior that may lead to visual hacking.
  • Enact a "clean desk policy" for workers with desks in open areas. This is especially true for banks, medical clinics and other brick-and-mortar locations where employees access sensitive information in environments with significant customer foot traffic. Extend this policy by requiring employees to promptly remove documents from printers and copiers, as well as properly disposing of confidential documents with shredders.
  • Take visual privacy into account when designing customer interaction locations. For example, in the healthcare industry, sequester check-in stations and areas where patient information is being gathered. Not only does this show the company values the personal health information of its patients, but it also helps with compliance. In other open environments, such as at banks, situate computer monitors used by tellers and other bank staff toward walls and away from wandering eyes.
  • Outfit computer monitors and device screens in open spaces with privacy filters and screen protectors. Privacy filters black out side views of screens from potential visual hackers but still allow the employee to see a clear image. For tough areas with significant public exposure and minimal barriers, couple traditional privacy filters with additional tools, such as 3M's ePrivacy Filter technology, which alerts users when an over-the-shoulder onlooker is behind them and automatically blurs the screen.
  • Proactively complete routine situation and site analyses to use as awareness tools. Keep a log of documents and files that are regularly observable and adjust IT/security standards, communication plans and training modules to address the findings of these analyses.

To protect customer privacy and increase trust, companies need to take the necessary measures to uphold visual privacy. A visual privacy policy that couples physical controls with ongoing employee education can set the foundation for a secure location, enhanced information privacy and security and, as an added benefit, enhanced customer trust.

Daniel Burks, chief privacy officer of U.S. Bank, is a member of the Visual Privacy Advisory Council, a panel of privacy and security experts that promotes tools and process to mitigate visual hacking.



About the Author

Daniel Burks

Daniel Burks

Enterprise Chief Privacy Officer, U.S. Bank

Burks has had an extensive background in the financial services industry, which includes 30 years of experience in privacy, risk management, business technology design and financial systems integration. As the CPO for U.S. Bank, Burks leads a team responsible for safeguarding all customer information. He is a member of the Visual Privacy Advisory Council, member of the board of advisors for Twin Cities Privacy Network and co-chair for the Responsible Information Management Council.




Around the Network