Are You a Legal Professional?

Protecting Customer Data

Nearly every business, large and small, handles some sort of customer data that could be misused if stolen or mishandled. Customers' credit card numbers and employees' Social Security numbers, for example, can easily be exploited by identity thieves and other criminals if such data is not properly safeguarded. A data breach can deal a heavy blow to any business, including the loss of your customers' trust and possibly even a lawsuit.

The Federal Trade Commission recommends determining which personal information your company holds or has access to; keeping only what you need; protecting the information you do have; properly disposing of information no longer needed; and creating a plan before a data breach happens.

1. What Personal Information Does Your Business Have?

Conducting an audit of all the potentially sensitive data controlled or accessed by your business, including who has access which information, is the first step toward protecting the personal information of customers and employees. This information will make it easier to determine how personal information flows into and through your organization, ultimately leading to a clearer picture of potential vulnerabilities.

  • Inventory computers, cell phones, flash drives, storage disks, home computers (if applicable), even file cabinets and other non-digital media; consider other possible sources of personal information -- websites, call centers, contractors, faxes, etc.
  • Talk to key personnel throughout your business (sales, information technology, human resources, accounting, etc.), including outside service providers or any others who may have been privy to sensitive data.
  • Get a complete picture of who could have access to various data throughout the company; even the best data security system in the world is susceptible to human error or malicious intent.
  • Keep in mind that different types of information carry varying degrees of risk. Social Security numbers, credit card numbers and financial information tend to be the most valuable data for fraud or identity theft.

2. Do You Have More Private Data Than You Need?

If your company absolutely doesn't need a given piece of personal information, why keep it? Similarly, don't collect sensitive information in the first place if you don't need it. Personal information needed only for a particular amount of time (at the point of sale, for example) becomes a liability if it's kept longer than necessary.

  • Social Security numbers should only be used for required, lawful purposes such as reporting employee taxes.
  • Electronically printed credit card receipts must be shortened to just the last five digits (and the expiration date must be deleted), according to federal law.
  • Even though some online retailers store customers' credit card information for future purchases, this is considered risky. Make sure you have a compelling business reason to store this data.
  • Make sure the software that reads and processes customers' credit card numbers isn't saving that information.

3. Is Your Sensitive Data Properly Secured?

There is no one-size-fits-all approach to properly securing employee and customer data. Effective security is determined by the kind of information, how it's stored, who has access and other considerations. The best data security plans deal with physical security, electronic security, employee training and the security practices of service providers and other business partners, according to the FTC.

Physical Security:

  • Store digital and printed documents in a locked location; limit access and and require employees to keep potentially sensitive documents locked away when not in use.
  • Require employees to log off computers, lock file cabinets and otherwise secure their work areas at the end of the day.
  • Limit employee access to offsite storage facilities and keep an entry log.
  • Encrypt sensitive information when shipping it via outside carriers and track the delivery.

Electronic Security:

  • General Network Security - Identify all connections to computers where personal information is stored; assess the vulnerability of each connection; don't make sensitive consumer data accessible through the internet; encrypt sensitive data sent over the internet; run antivirus and anti-spyware programs on a regular basis; make sure software is regularly updated for security; disable programs or services on the network that are not needed; make sure your web applications are secure.
  • Password Management - Require the use of "strong" passwords and frequent changes; set employee computers to lock after a period of inactivity; warn employees about attempts to coax them into providing their passwords, often done over the telephone; immediately change default passwords after installing new software.
  • Laptop/Smartphone Security - Assess whether or not personal information needs to be stored on a portable computer, deleting unnecessary data with a "wiping" program; consider only allowing access to sensitive data without allowing it to be stored on portable computers.
  • Firewalls - Firewalls are either software or hardware configurations that make it difficult for hackers to access your computer.
  • Wireless Access - Consider limiting the ability of inventory scanners or cell phones to access sensitive information; use encryption for personal information.
  • Detecting a Breach - There are a number of intrusion detection systems on the market that help minimize the damage when a network breach does occur; monitor both incoming and outgoing traffic for unusual activity.

Employee Training:

  • Conduct background checks on prospective new employees who may have access to sensitive data.
  • Make your confidentiality and security standards clear and have new employees sign an agreement promising to follow those standards.
  • Limit access to personal information to employees who have a "need to know."
  • Make information privacy and security training an ongoing process, not a one-time thing.
  • Warn employees about phone "phishing," which is when criminals try to get sensitive information through trickery.
  • Impose penalties for security policy violations.

Contractors and Service Providers:

  • Investigate the data privacy and security policies of prospective service providers or partners, comparing their standards to yours.
  • Make sure service providers notify you of any security breaches, even minor and potentially harmless ones.

4. Have You Properly Disposed of Customer Data No Longer Needed?

Even though identity theft has gained traction in the digital age, some of the most damaging materials are still found in the garbage. This includes credit card receipts and other paperwork as well as old computers and CDs that are tossed in the trash without being shredded.

  • Implement an information disposal practice, make it as convenient as possible (i.e. easily accessible shredders) and communicate it to employees.
  • Use shredders for paper documents and CDs and use wipe utility programs to erase stored data from old computers.
  • If you use consumer credit reports in your business, make sure you follow the FTC's Disposal Rule.

5. Do You Have a Data Security Response Plan in Place?

Just like a fire or an earthquake, you hope you'll never have to deal with a data security breach but you're always better off knowing how to respond. The fact is, even the tightest security can be compromised; so it pays to think ahead of ways to reduce the impact on your business, employees and customers.

  • Designate a senior member of the staff to coordinate a data security breach response plan.
  • Disconnect a compromised computer from the internet and intranet immediately
  • Investigate data security incidents immediately.
  • Know who you'll need to contact in the event of an information security breach before it happens.
Next Steps
Contact a qualified business attorney to help you
address you business's operational needs.
(e.g., Chicago, IL or 60611)

Help Me Find a Do-It-Yourself Solution