Protecting Customer and Employee Information (Protect Against Identity Theft)

With identity theft on the rise, most of us – and our customers – are incredibly aware of protecting our personal information: Bank account numbers, credit card numbers, financial statements, medical information, etc. Many individuals routinely shred unneeded banks statements, credit card statements, credit card solicitations, receipts, etc. They do so to protect their identity. For individuals, it's smart.

For businesses, protecting customer information is also the law.

The Fair and Accurate Credit and Transactions Act (FACTA) now makes it a requirement for businesses to destroy personal information obtained from customers and employees before it can be discarded.

What does that mean to you? If you don't have a shredder, you need one. Whether you own a multi-million dollar business, need to hire a nanny, or anything in between, If you obtain personal information about an employee or customer, you must destroy any information you no longer need:

  • Social Security numbers
  • Financial account information
  • Driver's license information
  • Medical histories
  • Etc.

For example, you may have:

  • Received customer credit card information during a sale
  • Checked a customer's credit report before offering a loan or extending credit
  • Acquired employee bank account information to make direct payroll deposits
  • Checked Social Security numbers, references, and credit history for potential employees

No matter how you have received them, if you decide to throw documents away, you must destroy them first. But that's just the start. To protect information you don't plan to dispose of:

  • Secure files, documents, and electronic data. Lock up documents when not in use. Limit access to only those employees who need access. Password-protect computers and electronic files. And again, shred any document you don't need to save.
  • Encrypt files or data you store or send via the Internet.
  • Use a secure connection to transmit customer data. Transport Layer Security (TLS) or Secure Sockets Layer (SSL) should be used to protect credit card and other financial data transmitted via the Internet.
  • "Wipe" your electronic files. Simply hitting "delete" doesn't permanently delete electronic information. A wiping program must be used to permanently delete unnecessary electronic data.
  • Restrict access to sensitive data on a "need to have access to" basis. If an employee doesn't need access, don't grant it.
  • Reward employees who identify security issues or potential threats. Make it everyone's job to keep customer information – and employee information – safe and secure.
  • Develop a response plan in the event data is compromised. Determine ahead of time who to notify (banks, lawyers, law enforcement, customers, credit bureaus, etc.) Take action immediately; your customers would rather hear about problems – and what you plan to do to overcome the problem – from you rather than from someone else.

What happens if you don't protect customer information adequately? You could face:

  • Civil liability. The victim could be entitled to recover actual damages sustained if his or her identity is stolen as a result of your lack of action and lack of security precautions. Or you could be required to pay statutory damages of up to $1,000 per violation.
  • Class-action lawsuits. If a number of people are affected, they may be able to bring class-action suits and get punitive damages.
  • Federal fines. The federal government could fine you up to $2,500 for each violation.
  • State fines. States can fine up to $1,000 for each violation.

Fines and lawsuits aside, protecting your customer's personal information is just good business.

But no matter what other steps you take, buy a shredder today if you don't have one. Shredders come in all sizes and price ranges, ranging from large industrial shredders costing thousands of dollars to small "personal" shredders costing around $30. For most small business needs, a heavy-duty personal shredder should be just fine.

Business owners should also think hard about implementing the other recommended policies and procedures. The same practices you should be using to safeguard customer information can be used to keep your company's financial, customer, and business information safe and secure from theft or misuse. As a result you will be protecting your customers and your business.