Every business has to deal with private data at one time or another. Most companies, at a minimum, handle personnel files or customer data, in order to perform their business functions. Recent media reports about data breaches, show us that privacy and data security are increasingly under attack, and should be an issue of priority for today’s business owners. The FTC, the governing body that regulates the use, access and disposal of consumer data, has issued a guide for all businesses. Their website also provides tons of invaluable resources to help companies comply with data privacy regulations. You can view the guide and access tutorials and tips here: https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business
In addition, the suggestions below, based on the FTC’s recommendations, should be a part of any data security plan you implement for your company.
Know what sensitive information your company has, where they are, and who has access to it. Consumer data may come into your company’s hands in a number of ways: from an address left on an answering machine, to an online employment application. Regardless of the manner in which it was obtained, it is your responsibility to safeguard it at all times. It can be easy to lose track of data in a company with many departments and employees, so be sure to inventory all sensitive information by type, location and authorized personnel, to ensure that nothing slips through the cracks. Track whether the information has been destroyed, or stored after use, and who has access to it, including vendors and contractors. All involved should understand their responsibilities, and your company’s policies and procedures concerning safe data handling, storage and disposal.
Limit access to sensitive information.The FCRA mandates that a permissible purpose must be established before consumer information can be obtained from a consumer reporting agency. Companies should only use and keep consumer data when necessary for business functions or when required by law. The less information in your company’s possession, the better. Only authorized individuals with an absolute business need should have access to personally identifying information. Ensure that all your employees are trained and in compliance with your privacy policies. Teach them to recognize security threats, such as phishing attempts, and dangerous software. Require that all suspected breaches be promptly reported.
Protect electronic data. Implement secure passwords standards. Require that employees change their passwords often and keep them safe at all times. Consider using multi-factor authentication. In addition:
- Do not store consumer data on any computer with an internet connection unless it’s essential for conducting your business. Information transmitted over the internet should be encrypted, and protected by SSL protocols. Warn employees to never transmit sensitive information in the body of an email. It is a good idea to encrypt all your organization’s email communications, and to protect all devices with a trusted and dependable firewall, antivirus, and malware protection software.
- Security measures should also extend to devices used by employees to access data remotely. Consider enabling a Mobility Management service on those devices. Ensure that employees are committed to preventing unauthorized access, at all times.
- Monitor your network constantly. Make sure that software is always working and apply updates regularly. Enable Breach Detection with an intrusion detection system, and implement a breach response plan.
These standards should also be implemented by any company that you exchange data with. Make it a part of your business contracts and service agreements.
Protect physical data. Paper documents, and devices, such as thumb drives, and servers that contain sensitive data must be kept under lock and key, at all times, when not in active use. As with electronic data, only employees with a legitimate business need should have access to these files.
Remind employees never to leave documents, or file cabinet keys on their desks, in an unlocked room. Do not allow employees to take home files containing personally identifying information.
Dispose promptly and securely of any physical data that is no longer needed, unless required by law. Paper can be shredded, burned, or pulverized. If using a shredding service, check their background and make sure they are reputable, and in compliance with FTC standards. Hard drives and old computers can be wiped clean with appropriate software. Manually deleting files is simply not enough.
Responsible care of sensitive and private data can help protect consumers against the perils of unauthorized access and theft of their personal information; and, also protect your business from liability, and legal trouble. In this age of hackers, and identity fraud, it is our responsibility, as business owners, to protect the information entrusted to us by the consumers we serve.