Many companies keep sensitive records pertaining to their customers on file. That information is often necessary to perform daily business functions. With all the current concerns involving fraud and identity theft, the security of this information is not only expected by your customers, it is necessity.
Creating a system to protect these records can be built by following these 4 steps, known as the “SAFE” plan.
Sensitive Data Identified
Your first step is to identify all the data you store within your business. Ask yourself:
- What types of sensitive information do we store?
Pay close attention to social security numbers, credit card information and checking account information. These are items that identity thieves use most often.
- How do we receive this information?
Do customers come to our store? Do we receive personal data by fax or by phone? Do we receive this information through a website or by email?
Once you have identified all the sensitive data you keep, you need to keep that information safe. Review these questions:
- Is all of the information we store a business necessity?
If you do not have a true business need for this information, don’t collect it! If you must keep this information, you need to establish a records retention policy for your business that defines how long you keep this information and how you safely store this information.
- How are you storing this information?
This is done in many forms: paper, CDs, floppy disks, memory sticks, laptops, backup tapes, etc. Identify all the locations you keep these files. Most importantly make sure this information is locked up and secured.
- Who has access to these records?
Only allow access to those individuals who truly need it! Control this access through passwords and/or by key. If your employees need this information, be sure to have policies on how they must secure this information while in their control.
Formulate a Disposal Plan
Throwing away sensitive information is not enough. A trash bag full of an individuals’ personal information is a gold mine for identity thieves. Consider these questions:
- How is confidential information destroyed?
Information must be disposed of in a reasonable and appropriate manner. You need to confirm that the information cannot be read or reconstructed.
- How does your business dispose of electronic information?
Make sure your plan covers your electronic storage methods. You must consider how to dispose of old computers and portable storage devices.
- How do you control those who work from their home?
This group often gets overlooked. Require that these employees comply to your company disposal policy.
Envision Threats to Your Plan
- How will your business react if you do have a security breach?
Make sure to have a plan in place. Designate a member of the management staff to coordinate any potential breaches. React quickly and contact the necessary groups as needed, including law enforcement, customers and credit bureaus.
If you follow this plan, you can protect your business and your customers! Remember—it is your responsibility to keep your customers SAFE! IBI