Most companies store sensitive personal information in files—names, social security numbers, credit card or other account information—that identify customers or employees.
This information is often needed to fulfill orders, process payroll, or perform other necessary business functions. However, if sensitive data falls into the wrong hands, it can lead to fraud, identity theft or similar harm. Given the cost of a security breach (losing the trust of your customers and perhaps even defending yourself against a lawsuit), protecting personal information is simply good business.
Some companies may have in-house experience to implement a suitable plan. Others may find it helpful to hire a contractor. No matter the size or type of your business, the principles in this booklet will help you keep your data secure.
A strong data security plan is based on 5 fundamental principles:
- INVENTORY🇧🇷 Know what personal information you have in your files and on your computers.
- REDUCE🇧🇷 Keep only what you need for your business.
- CIÉRRALO🇧🇷 Protect the information you keep.
- PITCH IS🇧🇷 Properly dispose of what you no longer need.
- PLAN AHEAD🇧🇷 Create a plan for responding to security incidents.
- Take an inventory of all computers, laptops, mobile devices, flash drives, hard drives, home computers, digital copiers and other devices to discover where your company stores sensitive data. Also, take inventory of the information you have by type and location. Your files and computer systems are a start, but remember, your business receives personally identifiable information in a variety of ways: through websites, through service providers, call centers, and the like. What happens to information stored on laptops, employee home computers, thumb drives, digital copiers and mobile devices? No inventory is completed until you verify where sensitive data can be stored.
- Track personal data across your organization by talking to your sales department, IT staff, human resources, accounting staff, and third-party service providers. Get a full picture of:
- Who sends sensitive personal data to your company?Do you get this from customers? credit card company? Banks or other financial institutions? credit bureaus? candidate? Other stores?
- How your company receives personal data.Does your business come from a website? By email? By post? Will it be streamed through boxes in stores?
- What kind of information do you collect at each entry point.Do you obtain credit card information online? Does your accounting store information about customers' checking accounts?
- Where you store the information collected at each entry point.Is it in a central computer database? On individual laptops? On a cloud computing service? On employees' smartphones, tablets, or other mobile devices? On floppy disks or tapes? In file cabinets? in branches? Do employees have files at home?
- Who has or may have access to the information.Which of your employees have permission to access the information? Do you need access? Can anyone else fix it? What about the vendors that provide and update the software you use to process credit card transactions? Contractors who run your call center?
- Different types of information carry different risks. Be especially careful about how you store personal information: social security numbers, credit card or financial information, and other sensitive data. This is what thieves most commonly use to commit fraud or identity theft.
Are there laws that require my company to keep confidential data secure?
Yes. When you take stock of the information in your files, take stock of the law as well. statutes like thatLey Gramm-Leach-Bliley, to dieFair Credit Reporting Law, and the Federal Trade Commission Act may require you to maintain reasonable security measures for confidential information.
Effective data security starts with assessing the information you have and determining who has access to it. Understanding how personal data enters, leaves and leaves your organization and who has or may have access to it is critical to assessing security vulnerabilities. You cannot determine the best ways to protect information until you understand how it flows.
For more information visitbusiness.ftc.gov/privacy-and-security.
Unless you have a legitimate business need for sensitive personal information, do not retain it. I didn't even take it. If you need the information for a legitimate business reason, keep it only as long as necessary.
- Use Social Security numbers only for mandatory and legal purposes, such as employee tax returns. Do not use social security numbers unnecessarily, for example as employee or customer identification numbers, or because you have always had them.
- If your company is developing a mobile app, make sure the app only accesses the data and functionality it needs. And don't collect or store personally identifiable information unless it's an integral part of your product or service. Remember, if you collect and store data, you must protect it.
- Do not retain customer credit card information unless there is a business need to do so. For example, don't keep your account number and expiration date unless you have a significant business need. Retaining this information, or for longer than necessary, increases the risk that the information could be used for fraud or identity theft.
- Scale data access. Follow the "principle of least privilege". This means that each employee should only have access to the resources they need for their specific job.
We like to have accurate information about our customers, so we generally keep a permanent record of all aspects of their transactions, including the information we collect from the magnetic stripe on their credit cards. Could this put your information at risk?
Yes. Keep confidential data on your system only as long as there is a business reason to do so. When this business need is over, dispose of it properly. If it's not on your system, hackers won't be able to steal it.
If you need to retain information for business reasons or to comply with the law, develop a written record retention policy to specify what information to retain, how it will be backed up, how long it will be retained, and how it will be deleted . in a safe way. If you don't, it will take longer.
How can you best protect the sensitive personal information you need to keep? It depends on the type of information and how it is stored. The most effective data security plans address four key elements: physical security, electronic security, employee training, and contractor and contractor security practices.
Many data breaches happen the old-fashioned way, through lost or stolen paper documents. Often the best defense is a locked door or an alert employee.
- Keep paper documents or files, USB sticks and backups containing personal data in a locked room or archive. Limit access to employees with legitimate business needs. Control who has a key and the number of keys.
- Requiring that files containing personal information be kept in locked files unless an employee is working on the file. Remind your employees not to leave confidential documents on their desks when they're not at work.
- At the end of the day, ask employees to put away files, unplug computers, and lock files and office doors.
- Implement appropriate access controls for your building. Let employees know what to do and who to call if they see an unknown person on the premises.
- If you maintain off-site storage facilities, limit employee access to those who have a legitimate business need. Know if someone accesses the site and when.
- If you send confidential information through third-party vendors or contractors, encrypt the information and keep an inventory of the information sent. Also, use an overnight shipping service that allows you to track the delivery of your information.
- If you have devices that collect sensitive information, such as B. PIN pads, secure them so identity thieves cannot tamper with them. Also take inventory of these items to ensure they haven't been traded.
Computer security is not just the domain of your IT staff. Make it your mission to understand vulnerabilities in your computer system and follow the advice of subject matter experts.
General network security
- Identify computers or servers that store sensitive personal information.
- Identify all connections to computers where you store confidential information. This could include the Internet, electronic cash registers, computers in your branches, computers used by service providers to support their network, digital copiers and wireless devices such as smartphones, tablets or inventory scanners.
- Assess each connection's vulnerability to known or reasonably foreseeable attacks. Depending on your circumstances, appropriate assessments can range from having an experienced employee running standard security software to having a comprehensive security audit performed by an independent expert.
- Do not store confidential consumer data on computers connected to the Internet unless it is essential to the operation of your business.
- Encrypt confidential information that you send to third parties over public networks (such as the Internet) and encrypt confidential information stored on your computer network, laptops or portable storage devices used by your employees. Also, consider encrypting email transmissions within your organization.
- Run regularly updated antimalware programs on individual computers and servers in your network.
- Consult specialized sites (such aswww.us-cert.gov) and your software vendor's websites to receive alerts about new vulnerabilities and implement policies to install vendor-approved patches to fix issues.
- Restrict employees' ability to download unauthorized software. Software downloaded to devices connected to your network (computers, smartphones and tablets) can be used to spread malware.
- Scan computers on your network to identify and profile operating system and open network services. When you find services that
you don't need them, disable them to avoid attacks or other possible security issues. For example, if an e-mail service or Internet connection is not needed on a particular computer, you should close the ports to those services on that computer to prevent unauthorized access to that computer.
- When receiving or transmitting credit card or other sensitive financial information, use Transport Layer Security (TLS) encryption or another secure connection that protects the information in transit.
- Pay special attention to the security of your web applications – the software used to deliver and retrieve information from your website visitors. Web applications can be particularly vulnerable to a variety of hacker attacks. In one variant, called an "injection attack", a hacker injects malicious commands in what appears to be a legitimate request for information. Once inside your system, hackers transfer sensitive information from your network to your computers. Relatively simple countermeasures against these attacks are available from a variety of sources.
We encrypt the financial data that customers submit to our website.
But once we receive it, we decrypt it and email it to our branches over the Internet in plain text. Is there a safer practice?
Yes. Regular email is not a secure way to send confidential information. A best practice is to encrypt any transmissions that contain information that could be used by scammers or identity thieves.
- Control access to sensitive information by requiring employees to use "strong" passwords. Technology security experts say the longer the password, the better. Because simple passwords, such as words found in popular dictionaries, can be easily guessed, insist that employees choose passwords that contain a combination of letters, numbers, and characters. Require an employee's username and password to be different. Request password changes when necessary, such as after a breach.
- Consider using multi-factor authentication, such as requiring the use of a password and password submitted in different ways.
- Explain to employees why it is against company policy to share their passwords or post them near their workstations.
- Use password-enabled screensavers to lock down employee computers after a period of inactivity.
- Block users who fail to enter the correct password within a specified number of login attempts.
- Warn employees of possible calls from identity thieves trying to trick them into revealing their passwords by posing as members of your IT staff. Inform employees that such calls are always fraudulent and that no one should ask them to reveal their passwords.
- When installing new software, immediately change the vendor-supplied default passwords to a more secure strong password.
- Advise employees not to send sensitive personal information (social security numbers, passwords, account information) via email. Unencrypted email is not a secure way to transmit information.
- Limit laptop use to employees who need it for their jobs.
- Check whether confidential information really needs to be stored on a laptop. If not, erase it with an "eraser" program that will overwrite the data on the laptop. Deleting files using standard keyboard shortcuts is not enough as data may remain on the laptop's hard drive. Cleaning programs are available at most office supply stores.
- Ask employees to keep laptops in a safe place. Even if laptops are used, consider using cables and locks to secure laptops to employee desks.
- Consider just allowing laptop users access to sensitive information, but not storing the information on their laptops. With this approach, information is stored on a secure mainframe and the laptops act as terminals, displaying but not storing the mainframe information. Information can be further protected if the use of a token, "smart card", fingerprint or other biometric, as well as a password, is required to access the central computer.
- If a laptop contains sensitive data, encrypt and configure it so that users cannot download software or change security settings without permission from your IT specialists. Consider adding a "self-destruct feature" so that data on a computer reported stolen is destroyed when the thief tries to use it to access the Internet.
- Train your employees to be safe when they're on the road. You should never leave a laptop in plain sight in a car, hotel luggage rack, or checked baggage unless instructed to do so by airport security. If one has to leave a laptop in the car, it should be locked in the trunk. Anyone going through airport security should keep an eye on their laptop in line.
Our account managers need access to our database of customer financial information. To make it easier to remember, we only use our company name as the password. Could this lead to a security issue?
Yes. Hackers first try words like "password", your company name, the software's default password and other easy-to-guess options. You will also use programs that run through common English words and dates. To make it harder for them to break into your system, choose strong passwords (the longer the better) that use a combination of letters, symbols, and numbers. Do not store passwords in plain text. Use a password management system that adds salt (random data) to scrambled passwords, and consider using slow encryption features.
- Use a firewall to protect your computer from hacker attacks while connected to a network, especially the Internet. A firewall is software or hardware designed to prevent hackers from accessing your computer. A properly configured firewall makes it harder for hackers to find your computer and access your programs and files.
- Determine whether you should install a "perimeter" firewall where your network connects to the Internet. An edge firewall separates your network from the Internet and can prevent an attacker from gaining access to a computer on the network where you store confidential information. Establish "access controls", settings that determine which devices and traffic pass through the firewall, to allow only trusted devices with legitimate business needs to access the network. Because the protection provided by a firewall is only as effective as its access controls, you should review them regularly.
- If some computers on your network store confidential information and others do not, consider using additional firewalls to protect computers that contain confidential information.
Wireless and remote access
- Determine whether you use wireless devices such as smartphones, tablets or inventory scanners or cell phones to connect to your computer network or to transmit confidential information.
- If you do this, you must limit who can access your computer network over a wireless connection. You can make it more difficult for an intruder to access your network by restricting the wireless devices that can connect to your network.
Encrypt the information you send over your wireless network so nearby attackers can't eavesdrop on those communications. Look for a wireless router that supports Wi-Fi Protected Access 2 (WPA2) and WPA2-compatible devices.
- Use encryption when communicating with employees or service providers, such as B. Allow companies that fix problems and update the software you use to process credit card purchases to access your computer network remotely. Consider implementing multi-factor authentication to access your network.
Your information security plan should cover the digital copiers your company uses. The hard disk of a digital copier stores data about documents that are copied, printed, scanned, faxed or emailed. If you don't take steps to protect this data, it can be stolen from your hard drive, either through remote access or by removing it after removing the drive.
Here are some tips for protecting confidential data stored on digital copier hard drives:
- Include your IT team when considering the purchase of a copier. Employees responsible for backing up their computers should also be responsible for backing up data on digital copiers.
- When buying or renting a copier, consider the data security features offered, either as standard equipment or as optional add-on kits. These features typically include encryption and overwriting. Encryption scrambles data on the hard drive so that only specific software can read it. Overwriting, also known as file deletion or file shredding, replaces existing data with random characters, making it difficult to reconstruct a file.
Once you choose a copier, you will benefit from all its security features. You can define how often the data is overwritten; in general, the more data is overwritten, the more likely it is not to be recovered. Also, make it a habit to safely overwrite your entire hard drive at least once a month.
- If you are returning or disposing of a copier, find out if you can remove and destroy the hard drive or if the data on the hard drive can be overwritten. Ask an experienced technician to remove the hard drive to avoid the risk of damaging the device.
For more information, readData Backup: A Guide for Businesses.
- To detect network breaches when they occur, consider using an intrusion detection system. To be effective, it must be updated frequently to deal with new types of hacking.
- Keep centralized log files with security-related information to monitor activity on your network so you can detect and respond to attacks. When your network is under attack, the log contains information that can be used to identify compromised computers.
- Monitor incoming traffic for signs that someone is trying to hack. Watch for new user activity, multiple login attempts by unknown users or computers, and above-average traffic at unusual times of day.
- Monitor outbound traffic for signs of a data breach. Beware of unexpectedly large amounts of data being transferred from your system to an unknown user. If large amounts of data are being transferred from your network, verify that the transfer is authorized.
- Create and implement a security breach response plan.
I'm not really a "technical" guy. Are there steps our IT people can take to protect our system from common hacker attacks?
Yes. There are simple fixes to protect your computers from some of the most common vulnerabilities. For example, a threat known as an "SQL injection attack" could give scammers access to sensitive data on your system.
Protect your systems by keeping your software up to date and performing regular security audits on your network. Check the websites of groups such as the Open Web Application Security Project, www.owasp.org, or The Top Cyber Security Risks by the SANS Institute (SysAdmin, Audit, Network, Security), www.sans.org/top20, to obtain More information. Up-to-date breaking news on the latest threats and fixes. And check with your software vendors for patches that fix new vulnerabilities. For more tips on protecting sensitive data, see Getting Started with Security: A Guide for Businesses.
Your data security plan might look great on paper, but it's only as strong as the people implementing it. Take the time to explain the rules to your employees and train them to recognize security breaches. Regular training emphasizes the importance you place on sound data security practices. A well-trained workforce is the best defense against identity theft and data breaches.
- Check references or do background checks before hiring employees who have access to sensitive data.
- Have each new employee sign an agreement to adhere to your company's confidentiality and security standards for handling sensitive data. Make sure they understand that adhering to your organization's data security plan is an integral part of their responsibilities. Remind your employees regularly of your company's policies and any legal requirements for keeping customer data secure and confidential.
- Find out which employees have access to consumers' sensitive personal data. Pay special attention to things like social security numbers and bank account numbers. Restrict access to personal data to employees who "need to know".
- Establish a procedure to ensure that employees who leave their jobs or move to another part of the company no longer have access to confidential information. Clear your passwords and collect keys and badges as part of your check-out routine.
- Create a “safety culture” by establishing a regular training schedule for employees. Notify employees when they learn of new risks and vulnerabilities. Make sure your training includes remote workers, casual workers, and seasonal workers. If employees do not participate, consider blocking their network access.
- Train employees to recognize security threats. Tell them how to report suspicious activity and publicly reward employees who report vulnerabilities to you. Visitftc.gov/startwithsecurityto show them videos about vulnerabilities that could affect their business, along with practical guides on how to reduce data security risks.
- Inform employees of your company's policies for keeping information secure and confidential. Post reminders in areas where confidential information is used or stored and in areas where employees gather. Make sure your policies cover employees who work remotely or access sensitive data from home or a remote location.
- Educate your employees about the dangers of phishing emails with information that makes the email appear legitimate. These emails appear to be from someone within your organization, usually someone in a position of authority. Make it office policy to independently review all emails requesting confidential information. When checking, do not reply to the email or use links, phone numbers or websites contained in the email.
- Warn employees about phishing over the phone. Train them to be wary of unknown callers who say they need account numbers to process an order or request customer or employee contact information. Make it business policy to verify this by contacting the company on a phone number you know to be genuine.
- Ask employees to notify you immediately if there is a potential security breach, such as B. A lost or stolen laptop.
- Impose disciplinary measures for security policy violations.
- For information security tips, tutorials and quizzes for all your employees, visitwww.ftc.gov/OnGuardOnline.
Security practices of contractors and service providers
Your organization's security practices depend on the people who implement them, including contractors and service providers.
- Before outsourcing any of your business functions (payroll, web hosting, customer call center operations, data processing, or the like), research the company's data security practices and compare their standards to yours. If possible, visit their premises.
- Put your security expectations in writing in contracts with service providers. So don't just take their word for it: check for compliance.
- Insist that your service providers notify you of all security incidents, even if the incidents did not result in your data being actually compromised.
What looks like a garbage bag to you could be a gold mine to an identity thief. Leaving credit card receipts or documents or CDs containing personal information in a trash can facilitates fraud and puts consumers at risk of identity theft. By properly disposing of confidential information, you ensure that it cannot be read or reconstructed.
- Implement information deletion procedures that are reasonable and appropriate to prevent unauthorized access or use of personal information. Appropriate actions for your operation are based on information sensitivity, the costs and benefits of different disposal methods, and changing technology.
- Dispose of paper records effectively by shredding, incinerating or pulverizing them prior to disposal. Provide paper shredders throughout the job site, including near the copier.
- When disposing of old computers and portable storage devices, use safe data disposal software, commonly known as disposal utilities. They are inexpensive and may give better results by replacing the entire drive, making files unrecoverable. Deleting files using keyboard or mouse commands is usually not enough as the files may still exist on the computer's hard drive and can be easily recovered.
- Make sure employees who work from home follow the same procedures for disposing of confidential documents, old computers and portable storage devices.
- If you use consumer credit reports for business purposes, you may be subject to the FTC takedown rule. For more information, seeDiscard information from consumer reports? the rule says how.
My company collects loan applications from customers. The form requires you to provide us with a lot of financial information. After we were done with the apps, we carefully disposed of them. Is it enough?
No Establish a policy to ensure confidential documents are rendered unreadable before disposal. Burn, crush, or pulverize to ensure identity thieves can't steal it from your trash.
Taking steps to protect the data in your possession can go a long way toward preventing a security breach. However, violations can occur. Here's how you can reduce the impact on your business, employees and customers:
- Develop a security incident response plan. Assign a senior staff member to coordinate and implement the response plan.
- If a computer is compromised, disconnect it from the network immediately.
- Promptly investigate security incidents and take action to eliminate existing vulnerabilities or threats to personal information.
- Consider who to notify in the event of an incident, both inside and outside your organization. You may be required to notify consumers, law enforcement, customers, credit reference agencies and other businesses that may be affected by the breach. Additionally, many state and federal banking regulators have laws or policies that address data breaches. Please contact your attorney.
I own a small business. Won't it cost me a penny to implement these precautions?
There is no one-size-fits-all approach to data security, and what's right for you depends on the nature of your business and the type of information you collect from your customers. Some of the most effective security measures (using strong passwords, locking down confidential documents, training your employees, etc.) cost next to nothing, and you can find free or inexpensive security tools on non-profit websites dedicated to data security. Plus, investing in better data security is cheaper in the long run than losing your customers' goodwill, fighting back in court, and facing other possible consequences of a data breach.
These websites and publications contain more information about protecting confidential data:
National Institute of Standards and Technology (NIST)
Information Security Resource Center
SANS Institute (SysAdmin, Audit, Network, Security)
Critical security controls
United States Computer Emergency Preparedness Team (US-CERT)
small business administration
best business office
The FTC works to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers identify, stop, and avoid them. To file a complaint or get free information about consumer issues, visitftc.govor call toll free 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261.
Watch a video,How to make a complaint, noftc.gov/videolearn more. The FTC posts consumer complaints to the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of law enforcement and civil agencies across the United States and abroad.
opportunity to comment
The National Small Business Advocate and 10 Regional Boards of Equity collect feedback from small businesses on state enforcement and compliance activities. Each year, the Ombudsman reviews the implementation of these activities and assesses each agency's ability to respond to small businesses. Small businesses can contact the Ombudsman without fear of retaliation. To comment, call 1-888-REGFAIR toll free (1-888-734-3247) or visitwww.sba.gov/ombudsmann.
FEDERAL TRADE COMMISSION
600 Pennsylvania Avenue, NW
Washington, DC 20580