Securing Your Personal Data
Start With the Basics

Securing Personal DataCustomers expect that every business — large or small — that collects their personal information will protect it. Beyond customer expectations, there’s the law. Depending on your type of business and the states in which your customers reside, you may be legally required to protect the personal information you collect.

First, determine what makes sense for your type of business. This will be based on the type of data that you collect and store, and the kind of resources you have managing that data.

If your small business keeps information about customers and employees in several formats (e.g., on paper, on computers, and in the cloud), you should sit down with a team of your employees — an IT person, office manager, etc. — and discuss these issues together to make sure you consider all viewpoints.

  1. Inventory the TYPES of data you collect, store and/or transmit.
  2. Inventory HOW you store your data.
  3. Inventory WHERE you store your data for each type and format of customer information.
  4. Inventory HOW DATA IS MOVED and WHO HAS ACCESS to it. Take into consideration your type of business, and the stationary and portable tools your employees use to do their jobs. This is a very important part of the inventory process, as it will help you begin to identify the potential ways that personal data could be inadvertently disclosed. If you think you need outside help to identify potential leak points, consider consulting with an IT security expert and/or the bank or processor that provides your merchant account services.
  5. Inventory the DATA CONTROLS YOU HAVE IN PLACE.
  6. Evaluate COSTS versus BENEFITS of different security methods. Brainstorm different types of security procedures and think about whether they make sense for the type of information you maintain, the format in which it is maintained, the likelihood that someone might try to obtain the information, and the harm that would result if the information was improperly obtained.
  7. Write it down. Type up the checklists you’ve just created, the security measures you are taking, and an explanation on why these security measures make sense.


Congratulations — you've just created the foundation of your written security policy!

  

Checklists

 

1.  Inventory the TYPES of data you collect, store and/or transmit.

  • Names
  • Physical addresses
  • Residential phone numbers
  • Mobile phone numbers
  • Email addresses
  • Payment card information
  • Account numbers
  • Invoice numbers
  • Social Security numbers
  • Drivers license numbers
  • Business identification numbers
  • Types and amounts of transactions

2.  Inventory HOW you store your data.

  • Paper invoices
  • Paper mailing lists
  • Paper customer files
  • Paper order requests
  • Email
  • Databases
  • Spreadsheets
  • Contracts
  • Business plans
  • Financial reports

3.  Inventory WHERE you store your data for each type and format of customer information.

Physical Storage sites

  • Desk drawers
  • Filing cabinets
  • Mail room
  • Home offices

Electronic storage sites 

  • Desktop computers
  • Laptop computers
  • Servers
  • Smartphones
  • Tablets
  • USB thumb drives
  • CDs, DVDs
  • Online hosts/cloud providers

4.  Inventory HOW DATA IS MOVED and WHO HAS ACCESS to it

Take into consideration your type of business and the desktop and mobile tools your employees use to do their jobs. This is an important part of the inventory process, as it will help you begin to identify the potential ways that sensitive data could be inadvertently disclosed. If you think you need outside help to identify potential leak points, consider consulting with an IT security expert and/or the bank or processor that provides your merchant account services. 

 

Data Access and Flow Checklist 

Physical storage sites

  • Desk drawers
  • Filing cabinets
  • Mail room
  • Home offices


Electronic storage sites

  • Desktop computers
  • Laptop computers
  • Servers
  • Smartphones
  • Tablets
  • USB/thumb drives
  • CDs, DVDs
  • Online hosts/cloud providers
 
5.  Inventory the DATA CONTROLS YOU HAVE IN PLACE.

Control Protection Tools Checklist

  • All machines that have important data or are
    connected to a network are password protected?
  • All machines that have important data can only
    be accessed by employees who have a business
    need to access the data?
  • All machines that have important data or are connected
    to a network reside behind a corporate firewall? 
    The firewall software must be configured to receive
    regular security updates.
  • Computer operating systems have all current updates
    and patches on all devices?
  • Antivirus software is fully up-to-date on all machines? 
    Scans should be run on a regular basis—
    at least once a week.
  • Data encryption in place on all devices that store
    sensitive information?
  • Electronic data is automatically backed up and can be
    restored in the event of human error, system failure
    or natural disaster?
  • You and your employees know how to recognize
    — and avoid — phishing emails that may enter via
    business or personal email accounts?
  • Controls are in place for third parties, such as
    consultants and independent sales representatives,
    requiring them to safeguard sensitive data?
  • Malware protections for what may try to enter via:
    • Business email accounts?
    • The Internet (i.e., web browsers, web-based email)?
  • Portable storage devices (e.g., USB sticks, iPods)
    cannot be connected to endpoint machines and download
    sensitive data without authorization?

 

6.  Evaluate COSTS versus BENEFITS of different security methods. Brainstorm different types of security procedures and think about whether they make sense for the type of information you maintain, the format in which it is maintained, the likelihood that someone might try to obtain the information, and the harm that would result if the information was improperly obtained.

7.  Write it down. Type up the checklists you’ve just created, the security measures you are taking, and an explanation on why these security measures make sense.

Congratulations — you've just created the foundation of your written information security policy!

 

Minimum Security Checklist for Small Businesses

 

Minimize what you save & store

  • Don't collect or retain information you don't absolutely need.
  • Destroy information when it is no longer needed...and destroy it responsibly.

Use effective passwords

  • Never use the default password provided by another company or service provider.
  • Use "strong" passwords that are unique to each user. Strong passwords include some combination of numbers, letters, and symbols. Never use obvious passwords such as your name, your business name, any family member's name, "12345," "ABCDE," "password" or your user name.
  • Change passwords frequently — every 45-60 days.

Block potential intruders

  • Restrict computer use to business-only purposes. Malware and viruses can sneak onto business machines when employees use them to visit social networking and other personal websites.
  • Protect your IT systems from viruses and spyware by using up-to-date antivirus protection and firewalls. Most operating systems and antivirus programs contain an automatic update feature that updates the software as new viruses and spyware become known.
  • Antivirus may not be enough. Consider supplementing your antivirus protection and firewalls with other specialized protection tools, such as intrusion prevention and anti-spam technologies. Run full scans for virus and spam detection at least once a week.

Back-up and recover information

  • Reduce business downtime from simple human error, hardware malfunctions or disasters. Put protections in place that will ensure ready access to data and easy data recovery should any of these occur.
  • Store backups or copies of your backups in a secure location that is physically separate from your operational systems.

Restrict access

  • Limit the number of sites/locations where information is stored.
  • Keep paper records in a locked cabinet, or in a room that stays locked when not in use.
  • Limit access to data to only those employees or outside providers that need the information to do their job.
  • Encrypt sensitive electronic information in every location it is stored.
    • Most standard software packages, including Microsoft Office, come with basic encryption software already downloaded.
    • If your business electronically processes a great deal of sensitive information, invest in higher-level security software to provide advanced encryption software for desktops, laptops, and removable storage devices.
  • Do not store sensitive information on portable storage devices (e.g., USB drives, CDs, laptops, smartphones, tablets, etc.) as these are frequently lost or stolen. If this practice is unavoidable, make sure the devices are secured and the information is encrypted.

Use Caution when sharing

  • Transmit data over the Internet using secure connections such as SSL technology. Several companies offer relatively inexpensive web-based sites, known as FTPS sites, which can transfer data with a secure connection.
  • Do not transmit sensitive information by regular email unless it is encrypted.
  • Take precautions when mailing records. Use a security envelope, require the recipient to sign for the package, and ask the delivery service to track the package until it is delivered.

 

U.S. Laws Governing Data Security

Federal Laws

The Gramm-Leach-Bliley Act ("GLBA") and the Health Insurance Portability and Accountability Act ("HIPAA") require that financial and health care providers take steps to ensure that personal information is secure. Consult an attorney to determine if you are covered by these laws, as the government considers many small businesses "financial institutions" or "health care providers" even when the business might not consider itself to be involved in financial services or health care.

State Laws

At least twenty states have passed laws requiring small businesses to implement procedures to prevent personal information from being disclosed or improperly used. Some states specifically require that small businesses encrypt personal information that is sent over the Internet. Unlike federal laws, these state laws apply to all small businesses — not just those that are financial institutions or health care providers. Additionally, almost every state has passed legislation requiring disclosure of any incidents involving the loss of consumer information.

Contractual Requirements

Small businesses that accept credit and debit card payments are contractually required to take certain steps to secure the payment card information they collect. Contact the bank or the company that manages your payment card processing for details or visit http://pcisecuritystandards.org for more details on the Payment Card Industry Data Security Standard requirements for protecting payment card data.

Additional Resources

 

Techniques to secure electronic data

 

Creating a data security plan

 

Providers of SSL certificates — to transmit data securely over the internet

 

Secure web-based FTP sites for transferring data

 

Rules for small businesses that accept payment cards

 

Satistic

 

> Check a business’s BBB Business Review

 NEXT CHAPTER