How Small Businesses Can Protect and Secure Customer Information

Identity fraud is an all too-common story these days. Consumers are becoming vigilant in protecting their private data, and that may mean thinking twice before handing out credit card information. But no matter how loyal your customers are, they would likely question the trustworthiness of your business if their personal information was stolen or misused. 
Many businesses collect "sensitive"data or information from consumers - such as social security numbers, financial records, credit details - for sales or other business purposes. Theft or misuse of this information can put your customers' financial information at risk and damage the reputation of business. You can follow these tips to help protect both your business records and your customers' sensitive data: 

1) Secure documents and equipment: Even in the age of technology, paper documents are still a target for security breaches. 

• Lock up documents, files, and storage devices (like computer disks and flash drives) in a file cabinet or office when they're not in use and at the end of each day/shift. During the business day, limit access to only the employees with a legitimate need to access the information.
• Shred what you don't need. If you no longer have a business need to retain a customer's sensitive data, ensure that it's unreadable before you discard it. Read more about
  securing credit card information here.
• Consider using laptop cords and locks to secure them to workstations. If laptops are used outside of the work environment, be mindful of storing them in a secure and out-of-sight manner.
• Keep track of where you electronically store or transmit sensitive data (cell phones, laptops, etc.)

2) Secure electronic data: Depending on how much sensitive information flows through your business, preventing security attacks can be as simple as running security software or as thorough as conducting a security audit through a reputable, independent firm. 

• While it's safest to not store your sensitive data on Internet-accessible computers, that may not be practical for your business operations. In that event, encrypt the sensitive files that you need to send via the Internet. As an extra precaution, you may want to encrypt sensitive information on your computers, storage devices, and email.
• Assess your password policy. Implement password-activated screen savers after periods of inactivity, and discourage the use of social security numbers, names, or words that can be easily guessed.
• Use a secure connection, like Transport Layer Security (TLS) or Secure Sockets Layer (SSL), to protect the credit card or financial data that your business sends or receives over the Internet. If you operate a website, be sure to secure your web applications to prevent hacking.
• Keep only what you need. You can purchase electronic "wiping" programs to ensure that deleted files are permanently expunged from your hard drive.
• Read more about computer and information security here.

3) Train employees: Incorporate a company confidentiality andsecurity plan into your existing training materials. Make sure that employees understand the policies and the consequences of non-compliance by asking them to sign the agreement.

• Check references or perform background checks before hiring employees who may have access to sensitive data. Learn about using consumer reports for pre-employment screening here.
• Identify which employees have access to sensitive data, and limit access on a need-to-know basis as appropriate.
• Reward employees for reporting suspicious activity or security vulnerabilities.
• If an employee leaves the business, ensure that access to company information is suspended by changing passwords and keys, closing accounts, etc.

4) Secure vendor relationships: Work withreputable, reliable companies that can support your data security requirements.

• Investigate the data security practices of companies that you outsource work to - including Website hosting, payroll, call centers, etc. to ensure they are up to your standards.
• Add security safeguard requirements to all contracts with service providers who may deal with sensitive business data, including a clause that they notify of security incidents at their facility - even if the incidents don't compromise your data.

5) Create a response plan: If, despiteyour best planning, a breach does occur, have a plan in place to reduce theimpact on your business, customers, and employees.

• If a computer is compromised, immediately disconnect it from the Internet.
• Plan who to notify in the event of a breach, including law enforcement, customers, credit bureaus, banks, and other businesses affected by the incident. Consult an attorney to ensure you have done your due diligence in contacting related parties.
• If a security breach at your business results in a customer becoming a victim of identity theft, you are required by the Fair Credit Reporting Act to provide a free copy of the customer's transaction records, such as a credit application, relating to the theft.

Related Resources:

• How to use credit and consumer reports to protect your small business interests
• Business.gov's overview on privacy and security laws for small businesses
• Interactive tutorial of FTC's Information Security Guide for business 
• Online privacy, security, and fraud protection tips from the government and technology industry

Message Edited by JamieD on 09-01-2009 01:22 PM