Keeping Customer and Employee Information Safe
Most individuals now realize how critical it is to protect their personal information. Awareness of personal identity theft has increased over the years, especially as high profile commercial data breaches have occurred. Consumers not only understand the importance of safeguarding their personal information on their own, but they also expect businesses to do so as well.
For businesses, protecting customer information is also the law.
The Fair and Accurate Credit and Transactions Act (FACTA) requires businesses to destroy personal information obtained from customers and employees before it can be discarded.
This means if you don't have a shredder, you need one. Whether you own a multi-million dollar business, employ a personal assistant, or anything in between, if you obtain information about an employee or customer, you must destroy any information you no longer need such as:
- Financial account information
- Social Security numbers
- Driver's license information
- Medical histories
- And so on.
For example, you may have:
- Checked Social Security numbers, references, and credit history for potential employees
- Acquired employee bank account information to make direct payroll deposits
- Checked a customer's credit report before offering a loan or extending credit
- Received customer credit card information during a sale
If you take no other steps, buy a shredder today if you don't have one. Shredders come in all sizes and price ranges, ranging from large industrial shredders costing thousands of dollars to small "personal" shredders costing around $30. For most small business needs, a heavy-duty personal shredder should be just fine.
But that's really just the beginning. No matter how you received the information, if you decide to throw documents away, you must destroy them first. To protect information you don't plan to dispose of:
- Restrict access to sensitive data on a "need to have access to" basis. If an employee doesn't need access, don't grant it.
- Reward employees who identify security issues or potential threats. Make it everyone's job to keep customer information - and employee information - safe and secure.
- Secure files, documents, and electronic data. Lock up documents when not in use. Limit access to only those employees who need access. Password-protect computers and electronic files. And again, shred any document you don't need to save.
- Use a secure connection to transmit customer data. Transport Layer Security (TLS) or Secure Sockets Layer (SSL) should be used to protect credit card and other financial data transmitted via the Internet.
- Encrypt files or data you store or send via the Internet.
- "Wipe" your electronic files. Simply hitting "delete" doesn't permanently delete electronic information. A wiping program must be used to permanently delete unnecessary electronic data.
- Develop a response plan in the event data is compromised. Determine ahead of time who to notify (banks, lawyers, law enforcement, customers, credit bureaus, etc.) Take action immediately; your customers would rather hear about problems - and what you plan to do to overcome the problem - from you rather than from someone else.
What happens if you don't protect customer information adequately? You could face:
- Federal fines. The federal government could fine you up to $2,500 for each violation.
- State fines. States can fine up to $1,000 for each violation.
- Class-action lawsuits. If a number of people are affected, they may be able to bring class-action suits and get punitive damages.
- Civil liability. The victim could be entitled to recover actual damages sustained if his or her identity is stolen as a result of your lack of action and lack of security precautions. Or you could be required to pay statutory damages of up to $1,000 per violation.
Protecting your customers and employees by putting practices into place that protect sensitive information is not just the law, it’s good business. Certainly you’d rather deal with businesses that have these types of policies too.