WebCE's Approach to Keeping Customer Data Secure

In today’s modern world, digital security is a critical consideration for the health of businesses and individuals alike.  

As the technology leader in our industries, nowhere is this more important or evident than at WebCE.  

What is “Customer Data”? 

When we talk about securing customer data, it’s important to understand what we mean. 

Many companies use qualifiers such as “confidential data” or “sensitive information” to identify the subset of data that they secure and protect as only those that are highly impactful. In other cases, people might protect “PII” (Personally Identifiable Information) or “PI” (Personal Information) as that subset of data about an individual directly such as what you might find on a profile. 

At WebCE, when we talk about “Customer Data” we include all of those plus more, and take every effort to secure them all.  

This includes: 

• Sensitive and confidential information such as SSN 

• Identifiable information such as License Numbers and NPN, even though they may be considered public or non-confidential 

• Personal information such as address, email, and phone number 

• Every other bit of system data related to customer accounts, such as which courses they’ve taken and exam grades 

Impenetrable Security 

Throughout time and technology there’s only been one method proven against effective every form of cyber intrusion, hacking, data breaches, or social engineering: not having the data to begin with. 

This is the first and best defense we employ any place we can. Unlike Facebook, we’re not a data conglomerate or data reseller. We are happy to deliver online education with as little customer data gathered as we can manage.  

That said, the value we provide to customers is not purely educational. In most cases, we must also track and report those completions to regulatory agencies and provide specifically-approved certificates with a variety of required information. The most convenient way for us to meet all these needs across the 400+ regulating authorities would be to gather the same information from every student.  

Instead, we built an intricate system of identifying the individual requirements from every regulator, so we only collect the minimum information needed from each student based on their specific purchases.  

Regulator in your state doesn’t require SSN or Date of Birth? Great, we don’t want it. We won’t ask for it. We won’t store it. This means we will never be at risk of exposing it. 

We don’t always have the choice in what we are required to collect. If we’re required to create certificates with the last 4 digits of an SSN, we will collect it to ensure absolute compliance—just the last 4 digits, though, not your full SSN.  

In these scenarios, we routinely reach out to regulators to ensure that data is still necessary and determine if there are other ways we can work together to eliminate the requirements. Over time, we’ve helped shape and reduce the data reporting needs in a variety of industries, such as supporting the rollout and transition away from SSN and to NPN for the reporting of Insurance CE credits in every state. 

Data Encryption 

Where we must record and store customer data, sensitive or otherwise, we maintain strict rules and policies around data encryption to protect the data.  

Encryption refers to the principle of utilizing secure keys to obscure data in a way that makes it useless to any hacker or observer that should get a hold of that data. Of course, we don’t want anyone to gain access to the data and protect it with all manner physical and network security measures. Should all those precautions fail, however, we would still have confidence that the data wouldn’t be readable by the attacker. 

Two Points of Data Exposure 

Data could be exposed at either of two different points: either in the location it is being stored (called “At Rest”) or during a process by which it is being moved between storage locations (called “In Transit”). 

Encryption “At Rest” 

Encryption “At Rest” occurs in a variety of forms. Data is primarily stored in our database, which is utilizes Transparent Data Encryption (TDE) to ensure the entire database and all contained data is readable only from within the approved secure environment. While this covers all customer data, we additionally double-encrypt sensitive information with a second key for maximum security. 

Encryption “In Transit” 

Encryption “In Transit” is primarily the transition of information from our servers to customer browsers (when viewing the website) or to the regulating authorities during completion reporting. Both are primarily protected by SSL encryption (ie, HTTPS), utilizing security best practices of short-lived, rotating certificates any time the information is sent through the internet. 

In conclusion, we don’t want your data and work hard to reduce your exposure whenever possible by collecting and storing only the minimum amount required.  

For the data we do have, we protect it with multiple layers of security up to and including full encryption of all data in case every other precaution fails. “Worry-Free Experiences” is one of our mantras, and we especially strive to achieve that when it comes to data security.