Protecting Customer Data
Created by FindLaw's team
of attorney writers and editors.
Nearly every business handles some sort of customer data that could be misused if stolen or mishandled. Customers' credit card numbers and employees' Social Security numbers, for example, can easily be exploited by identity thieves and other criminals if such data is not properly safeguarded. A data breach can deal a heavy blow to any business, including the loss of your customers' trust and possibly even a lawsuit, so it pays to prioritize how you handle such sensitive data.
Business owners should consider the following five questions to get a better assessment of their responsibilities with respect to protecting customer data. FindLaw's Internet and E-Commerce section provides additional resources.
1. What Personal Information Does Your Business Have?
The first step is to conduct an audit of all the potentially sensitive data controlled or accessed by your business, including who has access which information. This information will make it easier to determine how personal information flows into and through your organization, ultimately leading to a clearer picture of potential vulnerabilities.
- Inventory computers, cell phones, flash drives, storage disks, home computers (if applicable), even file cabinets and other non-digital media; consider other possible sources of personal information -- websites, call centers, contractors, faxes, etc.
- Talk to key personnel throughout your business (sales, accounting, etc.), including outside service providers or any others who may have been privy to sensitive data.
- Get a complete picture of who could have access to various data; even the best data security system in the world is susceptible to human error or malicious intent.
- Keep in mind that different types of information carry varying degrees of risk. Social Security numbers, credit card numbers, and financial information tend to be the most valuable data for fraud or identity theft.
2. Do You Have More Private Data Than You Need?
If your company absolutely doesn't need a given piece of personal information, why keep it? Similarly, don't collect sensitive information in the first place if you don't need it. Personal information needed only for a particular amount of time (at the point of sale, for example) becomes a liability if it's kept longer than necessary.
- Social Security numbers should only be used for required, lawful purposes such as reporting employee taxes.
- Electronically printed credit card receipts must be shortened to just the last five digits (and the expiration date must be deleted), according to federal law.
- Even though some online retailers store customers' credit card information for future purchases, this is considered risky.
- Make sure the software that reads and processes customers' credit card numbers isn't saving that information.
3. Is Your Sensitive Data Properly Secured?
Effective security is determined by the kind of information, how it's stored, who has access, and other considerations. The best data security plans deal with physical security, electronic security, employee training and the security practices of service providers and other business partners, according to the FTC. See Cyber Attacks: Small Business Guide for related suggestions.
- Store digital and printed documents in a locked location; limit access and and require employees to keep potentially sensitive documents locked away when not in use.
- Require employees to log off computers, lock file cabinets and otherwise secure their work areas at the end of the day.
- Limit employee access to offsite storage facilities and keep an entry log.
- General Network Security: Identify all connections to computers where personal information is stored; assess the vulnerability of each connection; don't make sensitive consumer data accessible online; use encryption; run antivirus and anti-spyware programs regularly; disable programs or services on the network that are not needed; make sure your web applications are secure.
- Password Management: Require the use of "strong" passwords and frequent changes; immediately change default passwords after installing new software.
- Laptop/Smartphone Security: Assess whether or not personal information needs to be stored on a portable computer, deleting unnecessary data with a "wiping" program.
- Firewalls: Firewalls are either software or hardware configurations that make it difficult for hackers to access your computer.
- Detecting a Breach: Intrusion detection systems help minimize the damage when a network breach does occur; monitor both incoming and outgoing traffic for unusual activity.
- Conduct background checks on prospective new employees who may have access to sensitive data.
- Make your confidentiality and security standards clear.
- Limit access to personal information to employees who have a "need to know."
- Make information privacy and security training an ongoing process.
- Warn employees about phone "phishing," which is when criminals try to get sensitive information through trickery.
Contractors and Service Providers
- Investigate the data privacy and security policies of prospective service providers or partners, comparing their standards to yours.
- Make sure service providers notify you of any security breaches.
4. Have You Properly Disposed of Customer Data No Longer Needed?
Even though identity theft has gained traction in the digital age, some of the most damaging materials are still found in the garbage. This includes credit card receipts and other paperwork as well as old computers and CDs that are tossed in the trash without being shredded.
- Implement an information disposal practice, make it as convenient as possible (i.e. easily accessible shredders) and communicate it to employees.
- Use shredders for paper documents and CDs and use wipe utility programs to erase stored data from old computers.
- If you use consumer credit reports in your business, make sure you follow the FTC's Disposal Rule.
5. Do You Have a Data Security Response Plan in Place?
Just like a fire or an earthquake, you hope you'll never have to deal with a data security breach but you're always better off knowing how to respond. The fact is, even the tightest security can be compromised; so it pays to think ahead of ways to reduce the impact on your business, employees and customers.
- Designate a senior member of the staff to coordinate a data security breach response plan.
- Disconnect a compromised computer from the Internet and intranet immediately
- Investigate data security incidents immediately.
- Know who you'll need to contact in the event of an information security breach before it happens.
Contact an Attorney if You Have Additional Questions
By following the above suggestions, your company should be able to protect customers' data in most cases. But nothing is fool-proof. And if you are sued for damages relating to the theft or mishandling of customer data in your care, you may want to contact a business and commercial law attorney for representation.