Business Identity Theft Protection
When hackers and con artists steal Social Security numbers, credit card information, passwords and other sensitive data, businesses suffer to the tune of $50 billion each year, according to the Federal Trade Commission.
So, what can you do to safeguard your business? The FTC recommends a sound data security plan based on five key tenets: Take Stock, Scale Down, Lock It, Pitch It and Plan Ahead.
Know what personal information is stored in your company's files and on its computers. That way you can determine the best way to secure your company's information.
- Inventory all places where sensitive data might be stored, including computers, file cabinets and mobile devices.
- Understand your company's "data stream." For example:
- How do you receive personal information?
- Who in your company has access to it?
- How is it stored and destroyed?
Keep sensitive information only if there is a legitimate business need for it, and only as long as it is necessary.
- Use Social Security numbers only for required, lawful reasons, like reporting employee taxes. Don't unnecessarily use them as customer identification numbers.
- The law requires you to shorten electronically printed credit and debit card receipts you give customers.
- Don't keep customer credit card information unless there is a business need to do so.
- Ensure the default settings on software that reads customers' credit card numbers is not preset to keep the information permanently.
- Develop a written records retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it when you don't need it.
Protect the information that you keep. The most effective data security plans deal with four key elements: physical security; electronic security; employee training; and security practices of contractors and service providers.
- Physical security: Lock doors and cabinets; limit access to areas where sensitive information is stored; and secure devices that gather sensitive information like PIN pads.
- Electronic security: Safeguard your company's network against viruses, malware and hackers; protect passwords; keep laptops secure; use firewalls; carefully manage wireless and remote network access; use digital copiers securely; and detect network breaches.
- Employee training: Educate all employees about data security standards; limit employee access to sensitive information on a need-to-know basis; and, after employees leave or move within the company, terminate their access to sensitive data.
- Security practices of contractors and service providers: Before outsourcing payroll, data processing and other services, investigate your vendors' security practices and standards. Make sure these business partners notify you of security incidents.
Properly dispose of sensitive information you no longer need, and ensure it cannot be read or reconstructed after it has been removed.
- Carry out information disposal practices as needed to prevent unauthorized access to personally identifying information.
- Shred, burn or pulverize paper records before discarding.
- Use "wipe utility" software to securely erase data from computers and storage devices prior to their disposal.
- Ensure that employees who work from home practice your company's procedures for disposing of sensitive documents, computers and storage devices.
- If you use consumer credit reports for business purposes, you may need to follow the FTC's Disposal Rule.
Create a plan for responding to data security incidents.
- If a computer is compromised, promptly disconnect it from your network.
- Immediately investigate security incidents, and address existing threats and vulnerabilities.
- If data security is compromised, know who to notify inside and outside the company, including attorneys, customers, law enforcement officials, credit bureaus, etc.
To learn more about staying ahead of the data security curve, download the FTC brochure Protecting Personal Information: A Guide for Business.