Almost all companies handle some type of customer information that could be misused if it is stolen or mishandled. Customer credit card numbers and employee Social Security numbers, for example, can easily be exploited by identity thieves and other criminals if such data is not properly protected. A data breach can deal a serious blow to any business, including loss of customer trust and possibly even a lawsuit.
The Federal Trade Commission (Federal Trade Commission) recommends determining what personal information your company has or has access to, keeping only what you need, protecting the information you do have, properly disposing of information you no longer need, and creating a plan before a crash occurs. Data Violation.
Five tips to help you protect your customer data.
1. What personal information does your company handle?
Conducting an audit of all potentially sensitive data that is controlled or accessed by your company, including who has access to what information, is the first step in protecting the personal information of customers and employees. You should:
- Inventory of computers, cell phones, flash drives, storage drives, home computers (if applicable), including file cabinets and other non-digital media; Consider other possible sources of personal information: websites, call centers, contractors, faxes, etc.
- Talk to key personnel in your company (sales, information technology, human resources, accounting, etc.), including external service providers or anyone else who may have been aware of the sensitive data.
- Get a complete picture of who might have access to various data across the enterprise; even the best data security system in the world is susceptible to human error or malicious intent.
- Be aware that different types of information carry different degrees of risk. Social Security numbers, credit card numbers, and financial information tend to be the most valuable data for fraud or identity theft.
two. Have more private data than you need?
Likewise, don’t collect or store sensitive information in the first place if you don’t need it. Personal information needed only for a specified time (at the point of sale, for example) becomes a liability if it is kept longer than necessary.
- Social Security numbers should only be used for legally required purposes, such as reporting employee taxes.
- Electronically printed credit card receipts must be shortened to only the last five digits (and the expiration date must be erased), according to federal law.
- Have a compelling business reason for storing customer credit card data for future use Make sure the software that reads and processes customer credit card numbers does not store that information.
3. Is your sensitive data properly protected?
Effective security is determined by the type of information, how it is stored, who has access, and other considerations. The best data security plans address physical security, electronic security, employee training, and the security practices of service providers and other business partners, according to the FTC.
- Store digital and printed documents in a locked location; limit access
- and require employees to keep potentially sensitive documents locked up when not in use.
- Require employees to unplug computers, lock filing cabinets, and secure their work areas at the end of the day.
- Limit employee access to external storage facilities and keep a check-in.
- Encrypt sensitive information when shipping via third-party carriers and track delivery.
- General Network Security – Identify all connections to computers where personal information is stored; assess the vulnerability of each connection; do not make sensitive consumer data accessible via the internet; encrypt confidential data sent over the internet; regularly run antivirus and antispyware programs; ensure that the software is regularly updated for security reasons; disable programs or network services that are not necessary; make sure your web applications are secure.
- Password management – Requires the use of “strong” passwords and frequent changes; set employee computers to lock up after a period of inactivity; warn employees about attempts to coerce them into providing their passwords, often over the phone; change the default passwords immediately after installing the new software.
- Laptop / Smartphone Security – Evaluate whether or not personal information needs to be stored on a laptop, removing unnecessary data with a “wipe” program; consider only allowing access to sensitive data without allowing it to be stored on laptops.
- Firewall – Firewalls are software or hardware configurations that make it difficult for hackers to access your computer.
- Wireless Access – Consider limiting the ability of inventory scanners or cell phones to access confidential information; use encryption for personal information.
- Detect a Gap – There are several intrusion detection systems on the market that help minimize damage when a breach occurs in the network; monitor inbound and outbound traffic for unusual activity.
- Perform background checks on potential new hires who may have access to sensitive data.
- Make your confidentiality and security standards clear and ask new hires to sign an agreement promising to follow those standards.
- Limit access to personal information to employees who have a “need to know.”
- Make information privacy and security training an ongoing process, not a one-time thing.
- Warn employees about telephone “phishing,” which is when criminals try to obtain confidential information through deception.
- Impose sanctions for breaches of the security policy.
Contractors and Service Providers:
Research the privacy and data security policies of potential service providers, partners, or contractors by comparing their standards with yours. Make sure service providers notify you of any security breaches, even minor and potentially harmless ones.
Four. Have you successfully deleted customer data?
Although identity theft has gained popularity in the digital age, some of the most harmful materials are still in the trash. This includes credit card receipts and other documents, as well as old computers and CDs that are thrown away without being shredded.
- Implement an information disposal practice, make it as convenient as possible (i.e. easily accessible to shredders), and communicate it to employees.
- Use CD and paper shredders and use erasure utility programs to erase stored data from old computers.
- If you use consumer credit reports in your business, be sure to follow the FTC Elimination Rule.
5. Do you have a data security response plan?
The fact is, even the strictest security can be compromised, so it’s worth thinking about ways to reduce the impact on your business, employees, and customers.
- Appoint a senior member of staff to coordinate a data breach response plan.
- Immediately disconnect a compromised computer from the Internet and intranet
- Investigate data security incidents immediately.
- Know who to contact in the event of an information security breach before it happens.
Next steps in data security
If your business has suffered a data breach or you are waiting to stop one before it happens, speak with a business and commercial law attorney in your area now. A knowledgeable attorney can help you make responsible decisions regarding your clients’ confidential data.