Safeguarding the privacy of customers’ information
Your commercial clients already know how important it is to safeguard customers’ privacy and data, and have no doubt taken steps to do so. But often, small businesses may not have the robust security to withstand hackers’ tricks. They may assume that since they’re small potatoes, hackers will assume they’re an unattractive target. And they’re wrong.
Legal obligations to safeguard customers’ privacy
The FTC requires businesses to have a written program in place documenting the steps taken to safeguard customers’ personal information. You can review the rule here. Have you completed your information security plan?
Objectives of the FTC’s safeguards rule
Everyone knows: identity theft is becoming a regularly occurring nightmare.
In a recent high-profile case, a software vendor that provided services to the three national credit agencies had an employee who sold customer information to identity thieves. At last report, authorities knew of at least 30,000 victims and an estimated $2.7 million in losses.
Consider the number of consumer customers your business currently has and the much larger number of “customer files” that your business has established over the years. No doubt you still maintain this data, whether in paper form, or in digital or other data- preservation formats, or both. Now consider the active files sitting around your offices or in your computer’s active database: How safe is that information? Whatever your answer might be, the stated objectives of the safeguards rule are:
- Ensure the security and confidentiality of customer information.
- Protect against any anticipated threats or hazards to the security or integrity of such information.
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
An overview of your security plan to safeguard customers’ privacy
- You must have a written information security plan for protecting customer information. Depending upon your organization’s size and complexity, the plan could be as short as one or two pages or much, much longer. The safeguards rule specifies that your program should be appropriate to your shop’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue.
- You must have designated an employee or employees to coordinate your safeguards program. Ideally, the employee(s) should be identified in the plan. As personnel changes, be certain to always have one or more employees designated as safeguards point person(s). Of course, the employee(s) should know that they have been so designated.
- You must have identified and assessed the risks that must be addressed in safeguarding customer information in each relevant area of your organization’s operation and evaluate, on an ongoing basis, the effectiveness of current safeguards for controlling these risks.
- You must have a program for monitoring the plan and the safeguards in place.
- You must have procedures for regularly checking the adequacy of the security you have established with respect to maintaining customer information.
- You must evaluate all aspects of your program from time to time, to make appropriate adjustments and to explain why you believed the adjustments were appropriate.
- You must always select appropriate “service providers” and require them (by contract) to implement safeguards that are appropriate to their organization in protecting consumer information.
What else should be included in your customers’ privacy plan
In addition, the safeguards rule requires that you consider all areas of your operation, with special emphasis on three critical areas: employee management and training; information systems; and managing system failures.
The FTC suggests the following practices be implemented:
- Employee management and training. The success or failure of your information security plan depends largely on the employees who implement it.
- Reference check. Check references prior to hiring employees who will have access to customer information.
- Signed agreement. Ask every new employee to sign an agreement to follow your organization’s confidentiality and security standards for handling customer information.
- Employee training. Train employees to take basic steps to maintain the security, confidentiality and integrity of customer information, such as:
- Lock rooms and file cabinets where paper records are kept.
- Use strong passwords (at least eight characters long).
- Encrypt sensitive customer information when it is transmitted electronically over networks or stored online.
- Refer calls or other requests for customer information to designated individuals who have had safeguards training.
- Ongoing reminders. Instruct and regularly remind all employees of your organization’s policy – and the legal requirement – to keep customer information secure and confidential. Provide employees with a detailed description of the kind of customer information you handle (name, address, account number, and any other relevant information). Post reminders about their responsibility for security in areas where such information is stored – in file rooms, for example.
- Limit access. Only employees who have a business reason for seeing customer information should have access. For example, grant access to customer information files to employees who respond to customer inquiries, but only to the extent they need it to do their job.
FTC guidelines for your electronic information systems
Information systems include network and software design, and information processing, storage, transmission, retrieval, and disposal. Here are some suggestions on how to maintain security throughout the life cycle of customer information – that is, from data entry to data disposal:
Store records in a secure area. Make sure only authorized employees have access to the area. For example:
- Store paper records in a room, cabinet, or other container that is locked when unattended.
- Store electronic customer information on a secure server that is accessible only with a password – or has other security protections – and is kept in a physically secure area.
- Don’t store sensitive customer data on a machine with an internet connection.
- Maintain secure backup media and keep archived data secure, for example, by storing off-line or in a physically secure area.
Provide for secure data transmission (with clear instructions and simple security tools) when you collect or transmit customer information. Specifically:
- If you collect information directly from consumers, make secure transmission automatic. Caution consumers against transmitting sensitive data, like account numbers, via electronic mail.
- If you must transmit sensitive data by electronic mail, ensure that such messages are password protected so that only authorized employees have access.
Dispose of customer information in a secure manner. For example:
- Hire or designate a records retention manager to supervise the disposal of records containing non-public personal information.
- Shred or recycle customer information recorded on paper and store it in a secure area until a recycling service picks it up. Promptly dispose of outdated customer information.
Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information.
How to manage system failures to safeguard customers’ privacy
Effective security management includes the prevention, detection and response to attacks, intrusions or other system failures. Maintain up-to-date and appropriate programs and controls by:
- Following a written contingency plan to address any breaches of your physical, administrative or technical safeguards.
- Checking with software vendors regularly to obtain and install patches that resolve software vulnerabilities.
- Using anti-virus software that updates automatically.
- Maintaining up-to-date firewalls, particularly if you use broadband Internet access, or allow employees to connect to your network from home or other off-site locations.
- Providing central management of security tools for your employees and passing along updates about any security risks or breaches.
Take steps to preserve the security, confidentiality and integrity of customer information in the event of a computer or other technological failure. For example, back up all customer data regularly.
Maintain systems and procedures to ensure that access to nonpublic consumer information is granted only to legitimate and valid users.
Notify customers promptly if their nonpublic personal information is subject to loss, damage or unauthorized access.
Originally published by Zurich, this article is reposted with Zurich’s permission.