Game companies that store hundreds of thousands, or millions, of customer service records need evolving technical measures in place as well the policy level considerations above. Security is an arms race where hacking, protections, and countermeasures are constantly at battle with one another.
We know that state of the art technical security in 2012 would include encrypting very sensitive data such as credit card numbers, parameterizing queries to prevent SQL injection, and implementing strong input validation to protect systems from invalid character entries.
While any system can be attacked via zero-day vulnerabilities, ensure your systems are rigorously updated with all security patches to prevent needless exposure.
We also know these measures and how they are implemented will change next year, and even over the course of this year. As your company follows its own internal road map, the company's security should be audited regularly. These audits should usually be internal, but on occasion, the network should engage an independent third party audit to conduct the security system review.
Interacting with external auditors on an ongoing basis provides both a different perspective as well as market knowledge that cannot be achieved internally. Furthermore, regularly planned external audits reduce the emergency or reactive character associated with bringing in external auditors only after a breach.
Every organization should have a written information security program which sets forth the organization's data management and security practices. This is actually required by law in some jurisdictions if a company collects personal data -- however, it is a best practice in any regard. The plan should be reviewed and updated on an annual basis. Such a plan makes it easier to measure and manage compliance with sound security practices since there will be objective standards.
Extra caution should accompany any project that involves the collection or use of personal information from children. If there is one area of privacy and data security that unites lawmakers, regulators, and consumers, it is the need to protect children online.
Everything in this article applies to children under 13 as well as adults. In addition, compliance with the Children's Online Privacy Protection Act (COPPA) is required if your service is directed to children under 13, or if you know your service is collecting information from children under 13.
In addition, there are self-regulatory guidelines imposed by industry organizations such as the ESRB Kids Privacy Certification and the Children's Advertising Review Unit that monitor self-regulatory programs and COPPA compliance.
COPPA compliance review should be part of the company's privacy and security audit procedures. Certainly, any substantial loss of children's data would be associated with many of the costs attributed to adult data breaches and likely include additional negative publicity. Last year, Playdom was fined 3 million dollars associated with a COPPA violation.