Frequently Asked Questions

Given all the things I need to juggle to run my business, why should I make Data Security a priority?

One word — "Trust."  As hard as you've worked to earn your customers' trust in you and your business, it can take just one trigger to break that trust. Your ability to keep your customers' sensitive data secure is one of those make-it-or-break-it triggers.  Customers expect that every business — large or small — that collects their sensitive personal information will protect it.  Beyond customer expectations, there's the law.  Depending on your type of business and the states in which your customers reside, you may be legally required to protect the personal information you collect.

This feels overwhelming. How do I even start this process?

It will be less overwhelming if you approach this piece by piece.  First — determine what makes sense for your type of business.  This will be based on the type of data that you collect and store, and the kind of resources you have managing that data.

If your small business keeps information about customers in several formats (e.g., on paper, on computers, and online), you should sit down with a team of your employees and discuss these issues together to make sure you consider all viewpoints.

  1. Inventory all your data and its various types and forms.
  2. Inventory all the different sites where you store data.
  3. Inventory potential sources for data leaks.
  4. Evaluate the costs versus benefits of different security methods.
  5. Write this all down, and you'll have just created the foundation of your written security policy!

Refer to Chapter 1 of "Data Security — Made Simpler" for some useful checklists that will make this process easier for you and your team.

What are four (4) minimum things a small business should be doing for data security?

  1. If you don't need it, don't collect it...and don't store it. If you have it and don't need it any more, destroy it — responsibly.
  2. Restrict and limit access to sensitive data.  Use locks on doors and file cabinets.  Limit employee access to data to those that need it to do their jobs.  Take precautions when mailing records.  Encrypt sensitive electronic information in every site it is stored — on computers, on laptops, on PDAs, iPhones and iPods, on USB drives (sometimes called "thumb" drives").  Transmit data over the Internet using secure connections (SSL technology).
  3. Use effective passwords...and issue a unique password to every employee.  Never use the default password that comes from another product or service provider.  Never use obvious passwords, such as your name, business name, family member's name, "12345," "ABCDE," "password," or your user name. Change passwords every 45-60 days.
  4. Block potential intruders.  Protect your IT systems from viruses and spyware by using antivirus protection and firewalls.  Make sure these protections are up-to-date.

Refer to Chapter 1 of "Data Security — Made Simpler" for more information on these four guidelines and potential resources to help.

What's the best way to destroy paper documents?

Shred them yourself, or hire a reputable shredding company to do it for you. Never just toss paper documents containing sensitive information in the trash or dumpster.

What are some of the best ways to destroy electronic documents?

Use data wiping software, as it permanently removes information by writing new, meaningless information on top of old information. CDs and DVDs can be shredded. Computer hard drives can be "magnetically degaussed," which uses extremely strong magnets to remove the magnetic encoding that stores data — which is a very affordable way to responsibly destroy old hard drives.

Refer to Chapter 4 of "Data Security — Made Simpler" for more information about these methods and potential resources to help.

What are some common myths about destroying data that I should be aware of?

Here are three examples:

  1. Breaking or smashing an old computer DOES NOT necessarily destroy the information it houses. Just because you break the machine does not mean you're breaking the media where the data is stored (on the hard drive).
  2. Microwaving CDs and DVDs DOES NOT destroy the information on them, and can release toxic fumes into your microwave or cause a fire.
  3. Placing data into the "Recycle Bin" on your desktop DOES NOT destroy the information.  Neither does clicking "Delete." It still exists and can be recovered.

Refer to Chapter 1 of "Data Security — Made Simpler" for more information.

What are the key things I should tell my customers in my Data Security Policy?

Here are some ideas to get started:

    • If you are encrypting sensitive information in every site it is stored — both stationary and portable — tell them that.
    • Consider obtaining a third-party seal that verifies your small business uses an appropriate level of security to protect your web site or your Internet transactions.

Refer to Chapter 1 of "Data Security — Made Simpler" for other ideas of specific data security precautions you may be taking that are appropriate to communicate to your customers. But whatever you say you are doing, make sure you're doing it!  And if you change the way you secure data, make sure you update your policy and your customer communications to reflect that change.

Is there anything I should not communicate in my Data Security Policy?


1. DO NOT SHARE detailed information about your security systems so that criminals might use that information to evade them.

2. DO NOT tell customers there is no risk of ID theft, or that their information is "100% safe." No matter how hard you try to protect customer information, there is always a chance that someone may obtain it and misuse it.

3. DO NOT guarantee or promise that a customer's information can never be lost or stolen unless you tell customers what you will do if that promise is broken.

Refer to Chapter 5 of "Data Security — Made Simpler" for more detailed guidance.

What type of "red flags" might signal suspicious behavior and an attempt at fraud?

Here are just a few examples:

1. A "customer" opens a new account that contains suspicious elements...such as a P.O. Box for a home address or an email address that seems to have someone else's name.

2. A customer presents you with suspicious documents, such as an ID card that appears altered, different addresses on different forms of ID, or a P.O. Box as a home address.

3. You (or one of your employees) notice unusual activity relating to a customer's account.

What are the five (5) things small businesses should do to secure their online banking credentials (e.g., PINs, passwords, tokens, etc.)?

1. Initiate payments under dual control. Ensure that all payments are initiated from your bank accounts only after the authorization of two employees.

2. Update virus protection and security software. Ensure that all anti-spy- ware, anti-malware, and security software and mechanisms for all computer workstations and laptops that are used for online banking and payments are robust, up-to-date, and that there is a process for periodically checking that they remain up-to-date,

3. Use dedicated workstations. If possible, restrict the use of certain workstations and laptops to be utilized solely for online banking and payments.

4. Reconcile accounts daily. Monitor and reconcile accounts daily against expected credits and withdrawals. If unexpected activity is seen on your account, notify your financial institution immediately.

5. Use robust authentication methods. Set up methods to access your accounts via multi-channel authentication.