Your Biz vs Identity Theft

Updated May 9, 2017 . AmFam Team


The hard work of growing your business dream leaves you wanting to protect it at all costs – especially when it comes to safeguarding it against identity theft.

So, what can you do to protect your business? The FTC recommends a sound data security plan based on five key actions. Let’s take a closer look.


It’s important to know what personal information is stored in your company's files and on its computers. That way you can determine the best way to secure your company's info.

  • Inventory all places where sensitive data might be stored, including computers, file cabinets and mobile devices.
  • Understand your company's "data stream." For example:
    • How do you receive personal information?
    • Who in your company has access to it?
    • How is it stored and destroyed?


Hold onto sensitive info only if there is a legitimate business need for it, and only as long as is necessary.

  • Use Social Security numbers only for required, lawful reasons, like reporting employee taxes. Don't use them as employee or customer identification numbers.
  • The law requires you to shorten electronically printed credit and debit card receipts you give customers.
  • Don't keep customer credit card information unless there is a business need to do so.
  • Ensure the default settings on software that reads customers' credit card numbers is not preset to keep the information permanently.
  • Develop a written records retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it when you don't need it.


Protect the info that you keep. The most effective data security plans start here:

  • Physical Security: Lock doors and cabinets; limit access to areas where sensitive information is stored; and secure devices that gather sensitive information like PIN pads.
  • Electronic Security: Safeguard your company's network against viruses, malware and hackers; protect passwords; keep laptops secure; use firewalls; carefully manage wireless and remote network access; use digital copiers securely; and detect network breaches.
  • Employee Training: Educate all employees about data security standards; limit employee access to sensitive info on a need-to-know basis; and, after employees leave or move within the company, terminate their access to sensitive data.
  • Security Practices of Contractors and Service Providers: Before outsourcing payroll, data processing and other services, investigate your vendors' security practices and standards. Make sure these business partners notify you of security incidents.


Dispose of sensitive information you no longer need, and make sure it cannot be read or reconstructed after it has been removed.

  • Shred paper records before discarding.
  • Use "wipe utility" software to securely erase data from computers and storage devices prior to their disposal.
  • Make sure employees who work from home know your company's procedures for disposing of sensitive documents, computers and storage devices.
  • If you use consumer credit reports for business purposes, you may need to follow the FTC's Disposal Rule.


And lastly? Plan for responding to data security incidents.

  • If a computer is compromised, promptly disconnect it from your network.
  • Immediately investigate security incidents, and address existing threats and vulnerabilities.
  • If data security is compromised, know who to notify inside and outside the company, including attorneys, customers, law enforcement officials, credit bureaus, etc.

Tools & Resources

Explore our tools and smart tips.