Working with consumer data can be tricky. People are rightly cautious about where and with whom they trust their data. As developers, it’s our job to ensure that users’ personal data is treated with the highest security standards possible.
If you’re building, or thinking about building, an application using a data provider’s API, you may wonder: What’s the best place to start to make sure my company’s data management practices maintain the highest level of security? How can I then communicate this to our users and other consumers, so that they’re willing to put their personal data in our hands?
I interviewed a couple successful developers and asked them to shed some light on these challenges: Fritz Robbins, CTO of Personal Capital, and Andrew Badstubner, CTO of Kabbage, provided interesting insights into the best practices they’ve developed during the time they have spent building and scaling their products.
First things first: Do your homework, and set your own security standards
Both developers say due diligence is the crucial first step in ensuring top-level data security. Depending on what type of research and vetting process you choose, they added, this could take anywhere from a few days to a few months. To build consumers’ trust in your application, you have to show them why they should trust you. Similarly, an API partner should have to gain your trust.
“The first step is to formulate a comprehensive security policy and identify what your own company’s requirements are,” said Badstubner. “Then, do some digging into your potential provider to validate that their security meets or exceeds your standards. Review their security documentation, SOC 1 and SOC 2 accounting standards.”
Robbins breaks down some different forms this due diligence can take: “It can include a comparative analysis of a provider; implementing a prototype or a proof-of-concept, which is the most time-consuming and effort-intensive of the bunch; deep due diligence on their technology and team; and potentially a contract negotiation.”
Robbins recommended checking into a provider’s general reputation in the industry through peers, forums and industry news. It’s also a good idea, he said, to check which certifications the provider has earned. is also a good idearIf a provider has gone through the process of getting certifications such as the ISO/IEC 27000 family of standards and PCI DSS, it demonstrates a strong focus on security that other providers may lack.
Regarding some of the basic questions you should ask a potential provider, Robbins continued, “Be sure to ask whether the company has a chief security officer. Additionally, probe into reviewing artifacts in a one-on-one environment--for example, by reviewing their breach reports, which are internal trails about how they’ve responded to breaches. Seeing what kinds of processes they have in place, and what internal testing can turn up, is really valuable.”
Validating a provider’s security standards doesn’t end when you sign the papers. Making sure your standards align is an ongoing process that requires consistent check-ins.
“Hold regular touch-base meetings with your provider to request the results on the audits they’re doing on their infrastructure,” Badstubner recommened. This sort of regularity will ensure security is always top of mind and allow you to build a bulletproof product.
You know your data is secure; now, show it
Communicating the security of consumer data to users can be challenging–especially for a startup.
“It’s a bit of a balancing act,” said Robbins. “You want to convey enough information to be reassuring, without getting into the weeds of technical jargon that can be scary for many people.”
In any case, what you’re doing to secure consumer data should be clearly articulated right on your Website.
“One of the things we reiterate is that we use better-than-industry-standard encryption, so user names and passwords are never shared,” said Badstubner.
However, it’s important to know your audience when it comes to communicating data security. Though overly technical language may intimidate the layman, sometimes you’re dealing with more advanced users who are well-versed in data security and are interested in the details.
“In that scenario, we’re sure to run down our full security certifications and encryption schemes, and talk more about how our data provider’s aggregation architecture works,” said Robbins.
Generally, a team’s reputation goes a long way with consumers. People like to know their data is in the hands of qualified individuals who have experience in the industry.
“We communicate our team’s reputation, and let them know that starting with our CEO, Bill Harris, every member of our team has a real depth of experience in the security and Internet financial space,” explained Robbins.
Consumers also feel safety in numbers. “It helps to show how many other people are using our service,” Badstubner noted. “We reassure users that we’ve been trusted by over 100,000 other customers, and that over $200 million has gone through our site in loans.”
Personal Capital does likewise, pointing out that more than 500,000 people use Personal Capital to manage over $100 billion of their personal finances.
Stand on the shoulders of a qualified provider
Paying attention to privacy and data protection laws is critical as more and more finance goes international. These laws can be enough of a challenge within the United States, but when dealing with data from other countries and regions, it can really get complex for a small startup to manage. That’s when, Robbins noted, working with a large, trusted provider and leveraging its experience in the industry can really work to a startup’s advantage.
“One of the benefits for a startup of working with cloud-based providers is that you can ride along with what they’re doing,” said Robbins. “We operate with the Amazon Web Services (AWS) platform infrastructure, which works in compliance with different privacy laws and data localities in every region throughout the world. As a startup, or a small business owner, ultimately you’re responsible for the compliance of your customer data. But standing on the shoulders of trusted providers gets you a long way.”
There you have it--insights from the experts on how to verify, communicate and scale your company’s security standards. Nobody said it was going to be an easy process. But, these days, when a new security breach seems to make the news each week, maintaining the highest data security standards is crucial.
And, trust me, the payoff is worth it. APIs allow you to bring new levels of personalization and engagement to your app that wouldn’t be possible without secure data as a building block.
I hope these insights were helpful. Please share questions, or tips of your own, in the comments section.