What you need to know about Chatbot Security

In 2022, most companies rely on chatbots or intelligent virtual assistants (IVAs) as their front-line of support and Customer Experience journeys. There’s no doubt that while interacting with customers 24*7*365, chatbots deal with a multitude of customer and company information that is critical for maintaining privacy. If this information is not well-protected with the correct architecture, industry standards, and best practices, the security of your business becomes questionable. 

In this blog, I would like to take a deep dive into the world of Chatbot Security, and hopefully, by the end, you would know everything you need to know to choose the right Chatbot vendor for your business. 

Firstly, let’s talk about - Sensitive Information 

Sensitive information is of 3 categories: 

  1. Personal - Information about an individual
  2. Business - Information about a business or entity
  3. Classified - Any information or material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and needs to know, and mishandling of the material can incur criminal penalties. (source: wikipedia)

Let’s also look into Personal Information

Personal information is nothing but two things:

  1. Data/Information that can personally identify someone is also put as an abbreviation PII. Below are some very sensitive information categories related to an individual:
  2. National identification number (e.g., Social Security number in the U.S., Aadhar Number (India)
  3. Bank account numbers
  4. Passport number
  5. Driver's license number
  6. Medical reports and prescriptions
  7. Debit/Credit card numbers

The following examples are less often used to distinguish individual identity because they are traits shared by many people. However, they are potentially PII, because they may be combined with other personal information to identify an individual:

  1. Full Name
  2. Home Address
  3. City
  4. State
  5. Postcode
  6. Country
  7. Telephone
  8. Age, Date of Birth, especially if non-specific
  9. Gender or race
  10. Web cookie  - (source: wikipedia)

In short, any information that should only be visible/accessible to limited parties and the individual about that INDIVIDUAL / CITIZEN / STUDENT / LAWYER etc. would be deemed as PII.

So, why is protecting sensitive information important? 

  1. Data breaches are at an all-time high. The report from IBM here talks about the same. 
  2. PII like my address and name could tell anyone in the world where I live, and it could be a threat. Someone might come and kill me, loot me, or try to hack the Wi-Fi router at my home to get information. 
  3. Information leaks from a government agency could lead to another World War. 
  4. To avoid the cyber-frauds like impersonation (by identity theft); by stealing your PII, fraudsters create social profiles and use them for illegal/unethical activities. The Hacker might ask for ransom as well. This has been on the rise these days.
  5. Idea is to make data available to only those who are authorized

In my opinion, while all industries must focus on protecting sensitive information, it becomes a non-negotiable when it comes to the Healthcare and Finance industry.

Risks / Problems for a business handling or working with Healthcare Information:

  1. Loss/Leak of any above information will lead to heavy penalties on the data processor (Haptik). 
  2. To handle such data, a processor (Haptik) usually requires HIPPA or some other healthcare certifications, which say that yes, Haptik has all policies and procedures in place to handle and take care of medical info. 
  3. While processing such healthcare data (PHI), data processor (Haptik) tries to use the suppliers/vendors who are equipped with all necessary security & privacy obligations as required by Haptik's customer
  4. Also, it's also not about putting this in the legal contract that data processor (Haptik) won't be liable. That does not work in real life, and most of the customers won’t accept that. It will still cause Reputational loss. We believe in actually deploying measures to keep data safe. 
  5. In case of a breach or a lawsuit, it might cost your company millions of dollars.


Risks for a business handling or working with Financial Information:

  1. Loss/Leak of any above information will lead to heavy penalties on Haptik
  2. We need to be PCI-DSS or other financial audit certified, which we are not. 
  3. Access control fixes, like removing unwanted people from partners, are an ongoing activity and still not very strict, so a lot of people can see chat links.

Another important thing to note is that every region, e.g. the EU has its own privacy guidelines (GDPR), which ought to be followed if one was doing business there or handling PII / PHI. Almost all countries and regions are coming up with some frameworks which will be enforced one way or the other. So compliance with those frameworks/standards is also required. Haptik is already compliant with CCPA, GDPR, PDPA etc. 

As a service provider/customer or user of service, if you don’t want to make the headlines for the wrong reasons, protecting PII/PHI is very important. 

Chatbots and PII

Chatbots usually forefront the business’s support or automation of requests raised by the users. Any chatbot or IVA you have a conversation with will collect some information about you. Be it your IP address, cookies or something else which is asked from you during the conversation in the chat window. 

I have seen chatbots where you can transact using your bank account to chatbots where you can literally book an appointment with a Psychologist. Most chatbots are open-ended and allow users to upload/send data as they want. This usually needs proper T&C before they use the chatbot and higher technical controls when handling such data - Security.

Now, if any of this information gets leaked, it could lead to a catastrophe. It could lead to reputational loss, individual data shared with some 3rd party for advertisement, posting the same on social media or even worse - Sold at a decent price on the DarkNet.  

Some references for recent data breaches are Delta Airlines, Tinnudohw Law LLP, ScatterLabs etc.

Plus all the other reasons I have mentioned above around PII and PHI privacy and security. 

What technical measures & controls do we have in place?

Word Art

 

Most of the Chatbot/IVA providers do not wish to provide information on how they protect the information and what security controls they have in securing the privacy of the information they collect & process. At Haptik, we are open, responsible and transparent in informing the stakeholders of what we do, how we do and why we do certain things to protect and maintain the CIAP (Confidentiality, Integrity, Availability and Privacy) of any information we collect & process. At the same time, we are receptive towards adding the best practices from our peers & industry.

Follow us for the next blog which is going to be an eye opener on how much we do when it comes to Chatbot Security in the background.