Most companies keep sensitive personal information in their files—names, Social Security numbers, credit card, or other account data—that identifies customers or employees. Show
This information often is necessary to fill orders, meet payroll, or perform other necessary business functions. However, if sensitive data falls into the wrong hands, it can lead to fraud, identity theft, or similar harms. Given the cost of a security breach—losing your customers’ trust and perhaps even defending yourself against a lawsuit—safeguarding personal information is just plain good business. Some businesses may have the expertise in-house to implement an appropriate plan. Others may find it helpful to hire a contractor. Regardless of the size—or nature—of your business, the principles in this brochure will go a long way toward helping you keep data secure. A sound data security plan is built on 5 key principles:
1. TAKE STOCK. Know what personal information you have in your files and on your computers.
SECURITY CHECKQuestion: Answer: Effective data security starts with assessing what information you have and identifying who has access to it. Understanding how personal information moves into, through, and out of your business and who has—or could have—access to it is essential to assessing security vulnerabilities. You can determine the best ways to secure the information only after you’ve traced how it flows. To find out more, visit business.ftc.gov/privacy-and-security. 2. SCALE DOWN. Keep only what you need for your business.If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. In fact, don’t even collect it. If you have a legitimate business need for the information, keep it only as long as it’s necessary.
SECURITY CHECKQuestion: Answer: If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely when you no longer need it. 3. LOCK IT. Protect the information that you keep.What’s the best way to protect the sensitive personally identifying information you need to keep? It depends on the kind of information and how it’s stored. The most effective data security plans deal with four key elements: physical security, electronic security, employee training, and the security practices of contractors and service providers. Physical SecurityMany data compromises happen the old-fashioned way—through lost or stolen paper documents. Often, the best defense is a locked door or an alert employee.
Electronic SecurityComputer security isn’t just the realm of your IT staff. Make it your business to understand the vulnerabilities of your computer system, and follow the advice of experts in the field. General Network Security
SECURITY CHECKQuestion: But once we receive it, we decrypt it and email it over the internet to our branch offices in regular text. Is there a safer practice? Answer: Authentication
Laptop Security
SECURITY CHECKQuestion: Answer: Firewalls
Wireless and Remote Access
Digital CopiersYour information security plan should cover the digital copiers your company uses. The hard drive in a digital copier stores data about the documents it copies, prints, scans, faxes, or emails. If you don’t take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extraction once the drive has been removed. Here are some tips about safeguards for sensitive data stored on the hard drives of digital copiers:
To find out more, read Copier Data Security: A Guide for Businesses. Detecting Breaches
SECURITY CHECKQuestion: Answer: Protect your systems by keeping software updated and conducting periodic security reviews for your network. Bookmark the websites of groups like the Open Web Application Security Project, www.owasp.org, or SANS (SysAdmin, Audit, Network, Security) Institute’s The Top Cyber Security Risks, www.sans.org/top20, for up-to-date information on the latest threats—and fixes. And check with your software vendors for patches that address new vulnerabilities. For more tips on keeping sensitive data secure, read Start with Security: A Guide for Business. Employee TrainingYour data security plan may look great on paper, but it’s only as strong as the employees who implement it. Take time to explain the rules to your staff, and train them to spot security vulnerabilities. Periodic training emphasizes the importance you place on meaningful data security practices. A well-trained workforce is the best defense against identity theft and data breaches.
Security Practices of Contractors and Service ProvidersYour company’s security practices depend on the people who implement them, including contractors and service providers.
4. PITCH IT. Properly dispose of what you no longer need.What looks like a sack of trash to you can be a gold mine for an identity thief. Leaving credit card receipts or papers or CDs with personally identifying information in a dumpster facilitates fraud and exposes consumers to the risk of identity theft. By properly disposing of sensitive information, you ensure that it cannot be read or reconstructed.
SECURITY CHECKQuestion: Answer: 5. PLAN AHEAD. Create a plan for responding to security incidents.Taking steps to protect data in your possession can go a long way toward preventing a security breach. Nevertheless, breaches can happen. Here’s how you can reduce the impact on your business, your employees, and your customers:
SECURITY CHECKQuestion: Answer: Additional ResourcesThese websites and publications have more information on securing sensitive data: Start with Security National Institute of Standards and Technology (NIST) SANS (SysAdmin, Audit, Network, Security)
Institute United States Computer Emergency Readiness Team (US-CERT) OnGuard Online Small Business Administration Better
Business Bureau The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. To file a complaint or get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. Watch a video, How to File a Complaint, at ftc.gov/video to learn more. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the U.S. and abroad. Opportunity to CommentThe National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Each year, the Ombudsman evaluates the conduct of these activities and rates each agency’s responsiveness to small businesses. Small businesses can comment to the Ombudsman without fear of reprisal. To comment, call toll-free 1-888-REGFAIR (1-888-734-3247) or go to www.sba.gov/ombudsman. FEDERAL TRADE COMMISSION What are three laws that protect privacy and what is each law's focus?Children's Online Privacy Protection Act (COPPA) — Protects children's privacy. Family Educational Rights and Privacy Act (FERPA) — Protects students' personal information. California Consumer Privacy Act (CCPA) — Protects privacy rights for residents of California.
What are some of the laws that provide protection for the privacy of personal data?Republic Act No. 10173, otherwise known as the Data Privacy Act is a law that seeks to protect all forms of information, be it private, personal, or sensitive. It is meant to cover both natural and juridical persons involved in the processing of personal information.
What is data privacy laws?Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data.
What is a data privacy statement?A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller's legal basis for processing.
|