Join Now

22 Tips for securing your company's data

Overview

Companies are entrusted with the personal information of employees and customers - data such as names, Social Security numbers, credit card information or other account details. Over 250 million identities have been exposed in data breaches since 2005, costing companies legal liabilities, loss of customers and millions of dollars.

This document provides best practices and tips for an identity theft program, defines personal information and sensitive data, and helps establish your company policy for its proper handling. In addition, the program will enable you to protect your customers and employees from fraud and identity theft, identify possible threats, and respond accordingly while reducing your risks and minimizing possible damages from a data security breach.

All company employees, contractors, consultants, temporary workers, and all personnel affiliated with third parties who have access to your data should be required to comply with these safeguards as outlined by the Federal Trade Commission.

Throughout this policy the term "data" encompasses any sensitive information that is given, retrieved, obtained, handled, transferred, stored, or disposed of by your company.

We trust you will find these tips valuable, easy to implement and useful. If you'd like more information on how you can better secure your company, call us toll-free at 1-800-805-7004 or e-mail Mike Bruemmer, VP of Sales, mbruemmer@csidentity.com

Sincerely,

Mike Bruemmer

CSIdentity

Your Company Data

Your company may have access to several forms of non-public, personal, sensitive information or data including (and not limited to) customer or employee:

  • Names
  • Maiden name
  • Date of birth
  • Address
  • Phone numbers
  • Payroll number, pay stubs or pay rates
  • Customer or account number
  • Confidential or proprietary company data
  • Vendor or supplier data
  • Social Security number
  • Business or employee ID or taxpayer number
  • Insurance or medical data including items such as claims, prescriptions or related information
  • Credit or debit card data, including the cardholder name and address, card number (in part or whole) or expiration date
  • Employee or customer medical data, including but not limited to doctor names and claims, insurance claims, prescriptions and any related personal medical information

Physical Data Security Tips

  1. Store paper documents or files such as CDs, floppy discs, zip drives, tapes and other backups with personal data information in locked rooms, file cabinets, desk drawers, overhead cabinets, and any other storage space when not in use. Access to these data files should be restricted to those who have a legitimate business need.
  2. Storage rooms, desks, printers, fax machines, work areas with whiteboards, and writing containing sensitive data should be locked at the end of each workday and documents shredded or removed when not in use.
  3. Employees should log off or lock computers when not in use, and lock file cabinets and office doors at the end of the business day.
  4. If using off-site storage, only authorized employees should access this site for a legitimate business need and the company should know when this site is accessed.
  5. Ensure only authorized employees have access to your office. If an unknown person is in your office, management should be alerted so they can take appropriate action.
  6. If shipping sensitive information to outside contractors, encrypt the information and keep an inventory of what is being shipped and to whom. For overnight shipping, use a service that allows for delivery tracking.
  7. Discarded data records should be locked in a shred bin labeled "Confidential" or shredded using a cross-cut or diamond-cut shredder.

Electronic Data Security Tips

  1. Sensitive personal data should not be stored on any computer with an Internet connection unless it's essential for conducting business.
  2. Encrypt sensitive data that is sent to third parties over public networks (such as the Internet) and encrypt sensitive information stored on your computer network or on disc, or USBs. Do not e-mail personal data information that is not encrypted and only e-mail this encrypted data through authorized company e-mail.
  3. Any sensitive data sent must be encrypted and password protected and distributed only to approved recipients.
    • Additionally, include the following statement in the e-mail: This e-mail and any attachments thereto, are intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you receive this e-mail in error, please immediately notify me by calling (company telephone number) and permanently delete the original and any copy of any e-mail and any printout thereof. Thank you.
  4. Regularly run updated anti-virus and anti-spyware programs on company computers and network servers.
  5. Use of laptops should be restricted to only those employees who need them to perform their jobs. Assess what information needs to be stored on each laptop and delete files with a program that overwrites the data, not simply deleting the files, as they may still remain on the laptop's hard drive. Laptops must be secured and may be locked to employees' desks for greater security.
  6. Any discarded computers or storage devices must be deleted using wiping software to completely discard of company files and data.
  7. Scan computers to identify which open network services are needed. If not necessary, disable services to prevent a security breach.
  8. When transmitting or receiving credit card information or other sensitive financial data, use Secure Sockets Layer (SSL) or another secure connection for protection.
  9. Regularly review the security of Web applications for any risk gaps to your system.
  10. Ensure the use of strong passwords (using a combination of letters, symbols and numbers) and change them frequently. Do not share passwords or post them. Use password-activated screen savers to lock computers when inactive. Employees will be locked out if they do not enter the password within a designated number of attempts.
  11. Utilize firewalls to protect computers while connected to the Internet. Set access controls to determine who is able to see certain information or sites for business needs.

Data Breach Management

  1. Ensure your company has a data breach response plan to proactively safeguard your company, customers and employees from data loss or fraud.
  2. Data security lapses should immediately be made known to management for immediate investigation.

Hiring Practices

  1. Utilize advanced background screening for employees and ensure that all employees, contractors or third-party vendors are screened. Verify the identity exists and that it belongs to said employee using Identity Verification and Authentication technology.
  2. Make sure your background check includes ongoing monitoring of employee criminal records to ensure continued safety of company and employee data.

If you'd like more information on how you can better secure your company, call us toll-free at 1-800-805-7004 or e-mail Mike Bruemmer at mbruemmer@csidentity.com. (or directly at 512.646-2424)