Your gym has valuable information about your members. If something happens to this data, it can cost your business millions and hurt your reputation.
Our digital economy runs on data. The collection and exchange of data can provide businesses—especially in the fitness industry—vital insights helping to target and better serve customers. Sharing data allows consumers to enjoy a multiplicity of goods and services, all available in fast and convenient transactions.
The downside of this constant, massive flow and exchange of information is the risk of data being lost, stolen, or compromised.
A data breach is when sensitive, confidential, or otherwise protected data is accessed or disclosed without the permission of the business holding the data or the consumer providing it. This information can include:
Data breaches can involve staggering amounts of records. If you've turned on the news in the last few years, you've probably heard of these four data breaches.
OK, I know what you are thinking, “Health clubs are not a huge tech business like Yahoo! You don’t have a billion records or anyone looking to hack your health club. Only big companies need to worry about data breaches.”
While it’s true that some data breaches occur due to criminal activity such as hacking into a system. Many more breaches are the result of mundane everyday occurrences, such as:
Your health club carries valuable and sensitive information about your members and employees, and protecting it is both your responsibility and good business practice.
Data breaches cost businesses big money. Equifax’s 2017 data breach could end up costing the company up to $700 million. The Ponemon Institute, which tracks the cost of data breaches, reported the average total cost of a data breach in 2018 was $3.86 million and the average cost per stolen or lost record was $148.
“Your health club carries valuable and sensitive information about your members and employees, and protecting it is both your responsibility and good business practice.”
If your club has 2,000 members and half become victims of a data breach, it could cost your business up to $148,000. Add to that the damage to your reputation and the loss of trust from your members, and you can begin to see how a data breach can hurt your business.
Data breaches are not inevitable. With the proper precautions, you can protect your health club from a data breach. Here are seven best practices for data breach prevention.
Create policies limiting who has access to sensitive data and what and when sensitive data is disclosed or shared. For example, restricting access to member payment information to only employees who handle billing would limit access to the data. While a policy limiting weekly disclosure of billing information only to upper management would similarly restrict access to consumer data. Having policies limiting both access and disclosure of sensitive data is a valuable reference tool for employees and helps protect you during litigation.
A strong password includes not allowing repeat use of passwords and requiring that they are changed frequently. Also, consider using multi-factor authentication; this trend requires authentication on a computer or laptop as well as on an employee's phone or another secure device.
You need to decide if you are going to allow employees to use their own devices for work purposes. BYOD policies include security considerations around allowing external devices to connect to your network.
Software limitation applies to both company devices and personal devices used for work. You should require employees to install and use the software that best fits your security needs. For example, if Google Chrome is the most secure internet browser for your business, then it makes sense to implement a policy prohibiting the use of another browser, even if employees find it to be more convenient. You should also limit the websites that employees have access to, as they may contain malware or other harmful programs or viruses.
Encryption is a security method that scrambles data using mathematical algorithms and leaving only people who possess the sender's key able to decode the message. There are multiple types and levels of encryption ranging from encryption of a single file up to full computer encryption. Encryption can be particularly helpful as a method of securing a laptop or other device that could be lost or stolen. There are several encryption services and techniques, and you should seek one that fits your businesses’ needs. It should go without saying, but make sure to install software updates on all devices regularly.
To ensure compliance with security standards, you should audit your internal operations at regular intervals.
Proper data protection does not end with your employees and equipment but extends to other organizations with which you share data and do business. Extend your data security practices in any agreements you have with third-party vendors to ensure the protection of your company's, employees', and members' data.
It is important to remember that simply developing and handing out a data protection policy is not enough. You and your health club will only benefit from a data protection policy if you enforce it.
Many data privacy statutes require the use of “reasonable measures” to ensure the security of sensitive data. While not always convenient, employees need to understand that the data protection policies exist to secure member and employee data, and everyone must follow the rules.
There is no foolproof way to prevent a data breach. However, if you implement these best practices, you will significantly reduce your business' risk of falling victim to a breach.
Jeff Perkins previously served as IHRSA's Vice President of Governance & Public Affairs—a position that focused on monitoring and influencing legislation at the state and federal level to protect club business models and operations, and help promote the health benefits of exercise.
