Five Tips for Protecting Customer Data
Created by FindLaw's team
of legal writers and editors.
Nearly every business handles some sort of customer data that could be misused if stolen or mishandled. Customers' credit card numbers and employees' Social Security numbers, for example, can easily be exploited by identity thieves and other criminals if such data is not properly safeguarded. A data breach can deal a heavy blow to any business, including the loss of your customers' trust and possibly even a lawsuit.
The Federal Trade Commission recommends determining which personal information your company holds or has access to, keeping only what you need, protecting the information you do have, properly disposing of information no longer needed, and creating a plan before a data breach happens. Here are five tips to help you get started.
1. What Personal Information Does Your Business Have?
Conducting an audit of all the potentially sensitive data controlled or accessed by your business, including who has access which information, is the first step toward protecting the personal information of customers and employees. You should:
- Inventory computers, cell phones, flash drives, storage disks, home computers (if applicable), even file cabinets and other non-digital media; consider other possible sources of personal information -- websites, call centers, contractors, faxes, etc.
- Talk to key personnel throughout your business (sales, information technology, human resources, accounting, etc.), including outside service providers or any others who may have been privy to sensitive data.
- Get a complete picture of who could have access to various data throughout the company; even the best data security system in the world is susceptible to human error or malicious intent.
- Keep in mind that different types of information carry varying degrees of risk. Social Security numbers, credit card numbers and financial information tend to be the most valuable data for fraud or identity theft.
2. Do You Have More Private Data Than You Need?
Similarly, don't collect or keep sensitive information in the first place if you don't need it. Personal information needed only for a particular amount of time (at the point of sale, for example) becomes a liability if it's kept longer than necessary.
- Social Security numbers should only be used for required, lawful purposes such as reporting employee taxes.
- Electronically printed credit card receipts must be shortened to just the last five digits (and the expiration date must be deleted), according to federal law.
- Have a compelling business reason to store customer's credit card data for future use.
Make sure the software that reads and processes customers' credit card numbers isn't saving that information.
3. Is Your Sensitive Data Properly Secured?
Effective security is determined by the kind of information, how it's stored, who has access and other considerations. The best data security plans deal with physical security, electronic security, employee training and the security practices of service providers and other business partners, according to the FTC.
- Store digital and printed documents in a locked location; limit access
- and and require employees to keep potentially sensitive documents locked away when not in use.
- Require employees to log off computers, lock file cabinets and otherwise secure their work areas at the end of the day.
- Limit employee access to offsite storage facilities and keep an entry log.
- Encrypt sensitive information when shipping it via outside carriers and track the delivery.
- General Network Security - Identify all connections to computers where personal information is stored; assess the vulnerability of each connection; don't make sensitive consumer data accessible through the internet; encrypt sensitive data sent over the internet; run antivirus and anti-spyware programs on a regular basis; make sure software is regularly updated for security; disable programs or services on the network that are not needed; make sure your web applications are secure.
- Password Management - Require the use of "strong" passwords and frequent changes; set employee computers to lock after a period of inactivity; warn employees about attempts to coax them into providing their passwords, often done over the telephone; immediately change default passwords after installing new software.
- Laptop/Smartphone Security - Assess whether or not personal information needs to be stored on a portable computer, deleting unnecessary data with a "wiping" program; consider only allowing access to sensitive data without allowing it to be stored on portable computers.
- Firewalls - Firewalls are either software or hardware configurations that make it difficult for hackers to access your computer.
- Wireless Access - Consider limiting the ability of inventory scanners or cell phones to access sensitive information; use encryption for personal information.
- Detecting a Breach - There are a number of intrusion detection systems on the market that help minimize the damage when a network breach does occur; monitor both incoming and outgoing traffic for unusual activity.
- Conduct background checks on prospective new employees who may have access to sensitive data.
- Make your confidentiality and security standards clear and have new employees sign an agreement promising to follow those standards.
- Limit access to personal information to employees who have a "need to know."
- Make information privacy and security training an ongoing process, not a one-time thing.
- Warn employees about phone "phishing," which is when criminals try to get sensitive information through trickery.
- Impose penalties for security policy violations.
Contractors and Service Providers:
Investigate the data privacy and security policies of prospective service providers, partners, or contractors comparing their standards to yours. Make sure service providers notify you of any security breaches, even minor and potentially harmless ones.
4. Have You Properly Disposed of Customer Data No Longer Needed?
Even though identity theft has gained traction in the digital age, some of the most damaging materials are still found in the garbage. This includes credit card receipts and other paperwork as well as old computers and CDs that are tossed in the trash without being shredded.
- Implement an information disposal practice, make it as convenient as possible (i.e. easily accessible shredders) and communicate it to employees.
- Use shredders for paper documents and CDs and use wipe utility programs to erase stored data from old computers.
- If you use consumer credit reports in your business, make sure you follow the FTC's Disposal Rule.
5. Do You Have a Data Security Response Plan in Place?
The fact is, even the tightest security can be compromised; so it pays to think ahead of ways to reduce the impact on your business, employees and customers.
- Designate a senior member of the staff to coordinate a data security breach response plan.
- Disconnect a compromised computer from the internet and intranet immediately
- Investigate data security incidents immediately.
- Know who you'll need to contact in the event of an information security breach before it happens.
Next Steps in Data Security
If your business has suffered a data breach or you are hoping to stop one before it happens, speak to a business and commercial law attorney in your area now. A skilled lawyer can help you make responsible decisions regarding sensitive customer data.