It makes good sense for businesses to place a high priority on keeping personal identifying information secure: It’s a popular target of identity thieves.
The U.S. Postal Inspection Service and the Federal Trade Commission, together with several private entities, have developed this guide to help businesses protect personal information in their custody by conducting self-assessments of how they receive, protect, store, distribute, and destroy such information.
Identifying Access to Personal Information Records
Personal identifying information may be located in numerous places throughout your business. By identifying the locations, you can develop a plan to keep it secure. Here are some guidelines to help get you started.
- List the categories of records you maintain with personal identifying information by group, such as customers, employees, students, faculty, or patients.
- Identify all who have access to personal identifying information. For example, does it enter your business via the Internet, a call center, or in written forms? Who could access the information at each point of entry?
- Where and in what format do you store personal identifying information? Who can access the stored information? Note all locations and in what formats it is stored and develop appropriate measures for protecting each format.
- How do you use personal identifying information? Who can access the information when it is in use?
- How does personal identifying information leave your organization, and who can access it as it exits your business? Consider employees, third-party contractors (i.e., consultants as well as data processing, janitorial, and shredding services staff), customers, and nonemployees.
- Do you transmit personal identifying information electronically, by fax, by mail, or over a wireless computer network? Make sure all transmissions are secure. Does staff have personal identifying information stored on their laptops or in their briefcases, where it can be stolen?
- Do you shred or burn trash containing personal identifying information before it is disposed of? Third-party businesses can dispose of large quantities of data, but be sure to follow “due diligence” when selecting a company for this purpose. Old computers containing personal identifying information need to have their hard drives erased using an up-to-date utility program to ensure the files are not recoverable.
By answering these questions you can develop effective risk-management strategies to protect personal identifying information for your business.
- What are your security measures for ensuring that only authorized personnel have access to personal identifying information?
- What are your security measures for ensuring that authorized personnel do not commit unauthorized actions with personal identifying information?
- What training do you provide for employees on securing personal identifying information?