Requirements to Protect Personal Information

Like many business professionals, your laptop and cell phone have become a corporate archive of important and confidential business information about your company. Smart phones have allowed sensitive data to be available at your fingertips that can be carried most anywhere. Identity thieves can have an easy time of accessing data that is legally protected if you don't address security issues in your overall Information Technology plan. Many businesses find it more cost-effective to secure the information they have rather than try to repair the damage and rebuild consumer confidence after a data loss or breach. Moreover, federal and state laws require companies to implement reasonable information security practices. Depending on your business and the type of information you keep, these laws may apply to you. A single basic standard for data security The Federal Trade Commission has tried to develop a single basic standard for data security that strikes the balance between providing concrete guidance, and allowing flexibility for different businesses' needs. The standard is straightforward: Companies must maintain reasonable procedures to protect sensitive information. Whether your security practices are reasonable will depend on the nature and size of your business, the types of information you have, the security tools available to you based on your resources, and the risks you are likely to face. Simple security tips High standards of data security should be implemented on portable electronic devices that store or provide access to sensitive information, such as employee and customer information. Many smartphone and laptop users, however, ignore simple security measures. Here is a list of simple security tips that will help keep your data confidential Passwords. Avoid jotting down your passwords on a sticky note in your laptop bag. Don't use shortcut keys to program passwords, access codes, or credit card numbers. Find ways to memorize your passwords and use strong passwords that consist of numbers and letters.
Don't collect and keep data unnecessarily.
If you don't have a valid business reason to collect personal information, don't ask for it in the first place. Review the forms you use to gather data — like credit applications and fill-in-the-blank web screens for potential customers — and revise them to eliminate requests for information you don't need. Before traveling, check your carry on, smartphone, and laptop for data that shouldn't go with you. Unless you have a legitimate business justification, don't hold onto customers' credit card information, including account numbers and expiration dates. Keeping sensitive data longer than necessary creates an unwarranted risk for fraud. Don't use Social Security numbers as employee identification numbers or customer locators. Keep things in sight. According to a company that insures personal computers, 10% of laptop thefts occur in airports. Keep your eye on your electronic devices when going through airport screening. Don't put your cell phone or computer on the conveyor belt until the person directly ahead of you has made it through the metal detector. Laptop and smartphone screens. Consider buying a filter for your laptop/smartphone screen if you work on confidential documents while you travel. Hotel business center. Don't inadvertently leave printed documents on the printer/copier/fax machine. Cell phone conversations. Sensitive information can be blurted out during loud cell phone conversations. Remind yourself to keep your guard up in public. Home computers. Companies with a diligent IT department may keep the companies computers and other electronic devices up-to-date with the latest firewall, anti-virus, and anti-spyware protection and the latest security patches, but if your home computer is used even occasionally for business, robust security software should be installed and kept up-to-date on home computers as well. Storage. When discarding or recycling old computers and cell phones, deleting files using keyboard commands is not sufficient because data remains in a device's memory. Ideally, you should destroy the hard drive or memory device. Have a written policy in place. If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify what must be kept, how to secure it, how long to keep it, who's authorized to access it, and how to dispose of it securely when you no longer need it. For more information, see the FTC's guide Protecting Personal Information: A Guide for Business. Dan A. Penning