Information stored on your business computers almost surely includes customer and client data, and you need to keep much of that information private and safe. What could happen if you don't provide this protection? Your business' good will could be at risk, or even worse, it could face lawsuits when customers are harmed by data breaches. Learn about the basics of managing and protecting customer data.
Your business probably keeps and uses a wide range of information on your customers or clients. There's basic information about them, for everything from accounts to past purchases and background information to help serve them better. It's also probably stored in computer files. It's data you need to protect, just as is done for your business' data.
Your Data Security Plan
The cyber side of your business needs as much security as physical sites; assess what you need and create a data security plan. Understand what cyber risks you might face, and how to provide security. Many issues are the same, whether you're a business or an individual consumer. Vendors provide both products and services to carry out your plan, and government sources such as the Federal Trade Commission (FTC) provide a wealth of information for small businesses.
The FTC offers five key concepts as a base for business data security: 1. Take stock of personal data your business stores in computer files; 2. Limit records to required data; 3. Lock up data; 4. Dispose of data responsibly; 5. Plan out your response for a data breach.
Taking Stock of Personal Data
A first step is to know what data your business keeps, where it's kept and who has access. Look at all computers, desktops and laptops, mobile devices, flash drives, external drives and whether employees could have such files. There may be hard copies with this data, too. Different company departments may have data, from sales, to accounting to customer service.
The information types you find and sources will vary, depending on your business. Data is collected from customers or clients, financial institutions and credit bureaus, to name a few examples. Collection methods could be through your web site, e-mail, cash register systems or directly from customers and clients.
Some information types are more valuable and present greater risk. Personally identifying information is the key type to be concerned with. This includes financial information, social security numbers, account numbers and other personal information.
Know who can access this information through your business. Employees, contractors and vendors are several groups of users who might have access.
Thin Your Files – Keep Only Essential Data
Once you know what data you have, review what data you need to collect and keep. If you don't have a proper business purpose to keep sensitive data, don't collect or keep it when no longer needed. A good example is credit card numbers: the law requires electronically printed receipts to only show a portion of the account number and expiration dates. Make sure your sales system software isn't set to permanently retain credit card information. Have a written policy stating what information will be kept and its purpose, and the disposal methods.
Keep Data Safe and Lock It Up!
As common sense suggests, you need to keep data safe by locking it up; this applies to physical and electronic data sources. Locked doors and filing cabinets can protect hard copies, portable data sources such as CDs and external drives, and limit access to computers through which data could be reached. Have a policy for "unlocking" these sources, such as a file cabinet must be locked except when retrieving or returning documents.
Locks come in the form of electronic security, too. Control access to computer-based records with proper permissions for access, passwords and secured connections. Monitor these sources and confirm security measures are working. Employee training is important; staff needs to know the purpose for security and how to carry it out.
Have a Disposal Plan
Have a plan for safe and secure disposal of sensitive data. How you dispose of data is just as important as what data is collected and how it's stored and used. Dumpster diving happens in both business and residential settings. Don't let the trash be a gold mine for personally identifying information for would-be criminals. Physically destroying data, or wiping software for computers and storage drives can be used. It can be as simple as making shredders readily available to staff.
The FTC Disposal Rule applies those who use consumer credit reports for a business reason, and reasonable disposal of these records is required. Methods could include burning, shredding or pulverizing records, or erasing electronic records. If a disposal service is used, confirm how it complies with the Disposal Rule.
Be Ready for Trouble with a Response Plan
Should a security breach happen, have your response plan ready to go and minimize damage and impact. Disconnect affected computers and equipment from the internet. Plan how you would carry out an incident investigation and name staff members to your response team. Plan whom should be notified if there's an incident - staff, customers, vendors, other businesses and law enforcement are groups to include on your list.
Questions for Your Attorney
- I want to avoid any liability issues related to customer data security. Do I have to always have the latest security measures in place to avoid liability?
- How do I know my business has met it's duty regarding security measures?
- If an employee causes a security breach intentionally, is the business responsible for any damage it causes?