Nearly all businesses collect some sort of personal information on its clients, customers or employees. This might include such things as the individual's name, address, age, gender, identification numbers, income, employment, assets, liabilities, source of funds, payment records, personal references and health records.
If your business maintains people's personal information, you must protect that information from theft or misuse. Here are some basic rules:
- If you do not need it, do not collect it. This seems obvious, but many businesses collect more information than they need. The more you have, the more tempting it becomes to a thief and the more damaging it is to your customers if the information is stolen.
- If you need it once, do not save it longer. Companies sometimes collect information that is necessary to complete a single transaction, then compulsively file that information away (either in a paper file or in a computer file). If you are not required by law to keep the information, and you seldom, if ever, use it, then get rid of it. If you do not keep it, it cannot be stolen.
- If you got it, but you do not need to save it, dispose of it carefully. A good deal of identity theft happens by thieves going through trash barrels or dumpsters. Even the smallest business can afford an inexpensive paper shredder. Make sure you use yours to destroy customer or employee records.
- If you have to keep it, think security. First, make sure those paper records that contain personal information are kept under lock and key when they are not in use. Make sure computer terminals are password protected. Only those who have an absolute need-to-know should have access to personal information. Do not allow customers or others to wander around the private areas of your business.
- Do not broadcast personal information. How often have you stood in line at an office or store behind someone who was being asked to give his/her social security number or telephone number or birth date? How many times have you watched a company's employee pull up personal information on a computer screen that was visible to other customers? Or seen personal information on a file that was left open on a desk or counter. Instruct your employees to be sensitive to these issues. Turn computer screens so they cannot be viewed by anyone other than the operator. Instruct employees who need to have personal information to have customers jot that information down, not repeat it out loud where it can be overheard by others. Do not put personal information like account numbers in billings or letters where that information is visible through windows in the envelope.
- Do not use Social Security numbers as account numbers. While not common, this practice is just downright dangerous - to you and your customers.
- Do not give out employee or customer information to anyone whose identity cannot be positively confirmed. Information thieves and stalkers who pose as government agencies or credit grantors or health insurance providers, have found that a well-crafted, believable story can often get past the best locked file cabinets or password-protected computers. Your organization should have very strict policies on when and how employee or customer information is shared.
- Locks and alarms are a real deterrent. Make sure your business is secure when it is closed. Make sure all vital records and offices are locked during non-business hours. Exterior doors should have deadbolt locks. Hinges on exterior doors should be secured to prevent removal. Exposed windows should be protected with bars, screens or shatter-proof glass. The business' exterior should be adequately lighted from dark to dawn. Naturally, the business should be protected by an alarm system, preferably one that is monitored by the security company. Your business insurance company -- or, in some cases, your local police - may be able to assist you with a security assessment.