7 Ways to Protect Your Health Club From a Data Breach

Your gym has valuable information about your members. If something happens to this data, it can cost your business millions and hurt your reputation.

Our digital economy runs on data. The collection and exchange of data can provide businesses—especially in the fitness industry—vital insights helping to target and better serve customers. Sharing data allows consumers to enjoy a multiplicity of goods and services, all available in fast and convenient transactions.

The downside of this constant, massive flow and exchange of information is the risk of data being lost, stolen, or compromised.

Protect Your Gym from a Data Breach Column Width

What Is a Data Breach?

A data breach is when sensitive, confidential, or otherwise protected data is accessed or disclosed without the permission of the business holding the data or the consumer providing it. This information can include:

  • credit card information,
  • social security numbers,
  • bank accounts,
  • even a consumer's username or email address in combination with other identifying information.

How Frequent Are Data Breaches?

Data breaches can involve staggering amounts of records. If you've turned on the news in the last few years, you've probably heard of these four data breaches.

  1. In 2017, the consumer credit reporting agency Equifax suffered a breach that affected 146 million accounts.
  2. Marriott suffered a breach at the end of 2018, involving 500 million guests' information.
  3. In 2019, Facebook disclosed that hackers exploited software bugs to obtain the logins to what officials initially estimated at 50 million accounts. To date, this is considered Facebook's worst security breach.
  4. The biggest data breach—so far—goes to Yahoo!, back in 2013 when an estimated 3 billion accounts were compromised. The breach was so massive and pervasive, Yahoo! did not reveal the extent of it until 2017.

OK, I know what you are thinking, “Health clubs are not a huge tech business like Yahoo! You don’t have a billion records or anyone looking to hack your health club. Only big companies need to worry about data breaches.”

While it’s true that some data breaches occur due to criminal activity such as hacking into a system. Many more breaches are the result of mundane everyday occurrences, such as:

  • sending out an email with financial information to the wrong account,
  • or an employee losing a laptop with sensitive information on it.

Your health club carries valuable and sensitive information about your members and employees, and protecting it is both your responsibility and good business practice.

Data breaches cost businesses big money. Equifax’s 2017 data breach could end up costing the company up to $700 million. The Ponemon Institute, which tracks the cost of data breaches, reported the average total cost of a data breach in 2018 was $3.86 million and the average cost per stolen or lost record was $148.

“Your health club carries valuable and sensitive information about your members and employees, and protecting it is both your responsibility and good business practice.”

If your club has 2,000 members and half become victims of a data breach, it could cost your business up to $148,000. Add to that the damage to your reputation and the loss of trust from your members, and you can begin to see how a data breach can hurt your business.

7 Ways To Prevent a Data Breach

Data breaches are not inevitable. With the proper precautions, you can protect your health club from a data breach. Here are seven best practices for data breach prevention.

1. Create Policies that Limit Access and Restrict Disclosure of Sensitive Data

Create policies limiting who has access to sensitive data and what and when sensitive data is disclosed or shared. For example, restricting access to member payment information to only employees who handle billing would limit access to the data. While a policy limiting weekly disclosure of billing information only to upper management would similarly restrict access to consumer data. Having policies limiting both access and disclosure of sensitive data is a valuable reference tool for employees and helps protect you during litigation.

2. Require Strong Passwords

A strong password includes not allowing repeat use of passwords and requiring that they are changed frequently. Also, consider using multi-factor authentication; this trend requires authentication on a computer or laptop as well as on an employee's phone or another secure device.

3. Bring Your Own Device (BYOD) Policies

You need to decide if you are going to allow employees to use their own devices for work purposes. BYOD policies include security considerations around allowing external devices to connect to your network.

4. Limit Software Installation and Website Access by Employees

Software limitation applies to both company devices and personal devices used for work. You should require employees to install and use the software that best fits your security needs. For example, if Google Chrome is the most secure internet browser for your business, then it makes sense to implement a policy prohibiting the use of another browser, even if employees find it to be more convenient. You should also limit the websites that employees have access to, as they may contain malware or other harmful programs or viruses.

5. Encryption and Software Updates

Encryption is a security method that scrambles data using mathematical algorithms and leaving only people who possess the sender's key able to decode the message. There are multiple types and levels of encryption ranging from encryption of a single file up to full computer encryption. Encryption can be particularly helpful as a method of securing a laptop or other device that could be lost or stolen. There are several encryption services and techniques, and you should seek one that fits your businesses’ needs. It should go without saying, but make sure to install software updates on all devices regularly.

6. Periodic Audits

To ensure compliance with security standards, you should audit your internal operations at regular intervals.

7. Agreements with Vendors

Proper data protection does not end with your employees and equipment but extends to other organizations with which you share data and do business. Extend your data security practices in any agreements you have with third-party vendors to ensure the protection of your company's, employees', and members' data.

It is important to remember that simply developing and handing out a data protection policy is not enough. You and your health club will only benefit from a data protection policy if you enforce it.

Many data privacy statutes require the use of “reasonable measures” to ensure the security of sensitive data. While not always convenient, employees need to understand that the data protection policies exist to secure member and employee data, and everyone must follow the rules.

There is no foolproof way to prevent a data breach. However, if you implement these best practices, you will significantly reduce your business' risk of falling victim to a breach.

Related Articles & Publications

Author avatar

Jeff Perkins

Jeff Perkins previously served as IHRSA's Vice President of Governance & Public Affairs—a position that focused on monitoring and influencing legislation at the state and federal level to protect club business models and operations, and help promote the health benefits of exercise.