A Guide for Guarding Personal Information in the Workplace

It is a common practice for a company to store personal or private information in its files. This information can be as crucial and sensitive as credit card information, social security numbers and other data which directly expose the company's employees or customers.

This type of information is required to complete critical business transactions such as payroll. However, if an unauthorized person gains access to it, it could result in a major loss of privacy and damage to the company and its employees.

Considering the financial, moral and psychological consequences of security violations, it is imperative to protect personal information at all times.

The 5 Key Principles of a Solid Plan for Information Security

  1. Inventory your data. Keep track of all personal information stored in your files and computers.
  2. Trim down and minimize. Store only the data that is crucial for operation of your business.
  3. Keep it locked. Make sure to lock your computers and file storage to keep information secured.
  4. Remove what is unnecessary. Trim down non-essential data and do away with the irrelevant and unimportant.
  5. Be prepared for the worst. Devise a strategy for dealing with unfortunate events involving a security breach.

Read through the following checklists and determine which areas and practices require improvement:

Back to top

Inventory Your Data

Keep track of all personal and confidential information stored in your files and computers.

Successful and efficient data security begins with an awareness of what information is currently stored in your files, as well as knowing which parties can access it. Establishing a clear picture of how personal information moves externally and internally within a business and identifying the individuals who possess knowledge of it is vital to evaluating the risks which your company's personal information may be exposed to.

  • Check all computers, storage disks and other file storage devices to determine where your company keeps sensitive information. Preferably, you should have all information organized according to type and location. Remember to thoroughly search all areas where personal information could possibly be stored: file cabinets, desktops, laptops, portable hard drives, mobile phones and other related devices. Also, take note of information received through websites, business associates and other sources.
  • Determine what personal data reaches your business by speaking with different department representatives in your company as well as reaching out to external service providers. Make sure you have a concrete idea of the following:
    • The source of personal information transmitted to your business. Where does your business get information? Is it from credit card companies, customers, contractors or other businesses?
    • Process of receiving personal information. How do you receive information? Is it through email, post or fax? Do you receive it through websites?
    • Type of information collected. What kind of personal information does your business receive or require from customers?
    • Ways of storing the personal information your company receives. How is information stored? Where is it stored? Is it stored in employees’ laptops or home computers? Is it kept in filing cabinets? Is it transmitted to satellite offices?
    • Individuals who have (or potentially have) access to the information. Which individuals in your company are authorized to access the information? Who else outside your company has access to it? Are contractors, suppliers or IT personnel able to get hold of that information?
  • There are unique risks associated with different kinds of information. You should always maintain awareness of the methods by which personal information is being stored. Sensitive information such as credit card details and social security numbers is most prone to abuse and violation by fraudulent individuals.

QIs there a law stating that companies should securely store sensitive information?

AYes, there are laws requiring businesses to keep sensitive information secure. A few examples of these laws include: Fair Credit Reporting Act [PDF] and the Federal Trade Commission Act which both require companies to have a solid security system for storing sensitive data.

Back to top

Trim Down and Minimize

Store only the data that is crucial for operation of your business.

If your company does not have a specific need for certain types of personal information, it is best not to request this data in the first place. If you have previously collected personal data which is irrelevant or insignificant to the business, it is prudent to remove it from your files or your records.

  • Information should only be used for legal purposes. An example of this is using one's social security number when reporting taxes. Avoid using information such as an employee or client identification number.
  • Whenever possible, you should immediately delete credit card information once the business need for such details has been fulfilled. Avoid keeping this information longer than necessary as this will greatly increase the likelihood of identity theft and fraud.
  • Make sure the software used for processing your customer's credit card details is not set to remember or retain this data permanently.
  • Should there be a need to keep sensitive information for business purposes, make sure there is a clearly defined set of rules about what kind of information should be stored. These rules should encompass the length of time that the data will be stored, the methods used for storing it and proper disposal when the information is no longer needed.

QIn our company, we normally keep a record of our customer's transactions to make sure we have their correct information. This entails keeping their credit card details. Does this increase the risk of their information being violated?

AYes. As long as certain information is stored in your system, there will always be the risk of it being stolen and used for fraudulent activities. Therefore, it is essential to properly dispose of information when it is no longer needed for your business.

Keep It Locked

Make sure to lock your computers and file storage to keep information secured.

The ideal way to keep sensitive personal information safe would depend on the type of information and the manner in which it is stored. When devising information security strategies, you must take the following vital components into consideration: electronic security, physical security, security measures of service providers and contractors, and employee training.

Physical Safety

Companies frequently lose sensitive personal information through lost documents or stolen paper files. Typically the best way to prevent this is to securely lock doors and maintain a high level of vigilance with paper documents in storage.

  • Enact a strict policy for employees to keep sensitive personal information in locked rooms or locked file cabinets. The documents should only be removed when there is a legitimate business need to do so. Employees should always observe precautionary measures, ensuring they do not leave sensitive documents on their desk while they are not at their stations.
  • Only employees with a legitimate business need for documents containing sensitive personal information should have access to storage in locked rooms and file cabinets. Monitor and control those who have the keys and the number of keys they hold in their possession.
  • Constantly remind employees to shut down their computers, return files and securely lock file cabinets and office doors before going home.
  • Apply sufficient access control for your building. Encourage employees to always report suspicious persons or activities within the building.
  • When shipping sensitive data, keep a record of the information that was sent, and when possible, use an overnight courier service which enables you to track the status of the delivery.

Back to top

Electronic Safety

Computer security should not be an area of concern for solely IT professionals. As a business owner, you should maintain an awareness and understanding of the security risks associated with your computer systems.

General Network Safety

  • Be aware of which computers, laptops and servers have sensitive data stored.
  • Determine the equipment and devices that have connections to the computers where sensitive personal information is stored. This could be computers in various satellite offices, cell phones, computers connected via the Internet and others devices.
  • Avoid storing sensitive personal information on computers that have an Internet connection unless there is a legitimate business need to do so.
  • Make sure all anti-virus and anti-spyware programs are updated, and establish a schedule of regularly running virus scans on all computers as well as your network servers.
  • Analyze your computers and connections in order to evaluate which are most vulnerable. Use your own discretion to determine whether you need to hire experts to execute this.
  • Keep yourself and your employees informed on the latest vulnerabilities and dangers by investigating software manufacturers and expert websites. Implement strict policies for using vendor-approved patches to solve problems and remedy irregularities.
  • See to it that you use a secure connection such as SSL (Secure Sockets Layer) when sending or receiving sensitive personal information such as credit card details.
  • Stay on top of your web application security. Web applications are at high risk for a wide range of fraud and other malicious attacks. Make sure you have the necessary defenses to counter these unfortunate incidents.
  • Check the computers in your network to determine which systems do not require certain programs or software and disable access from that particular unit. This can greatly assist in preventing or minimizing illegal access.

QWhen customers submit financial information to our website, we normally encrypt it. After receiving the information, we decrypt and forward it to our branch offices as normal text via email. Can we do more to make the process safer?

AThere is definitely a safer way of accomplishing this. Sending sensitive information through regular email is always a dangerous prospect. Instead of your usual practice, it is advisable to encrypt incoming and outgoing data containing personally identifying information that could be abused by identity thieves. If you need to send large files, use a certified secure service rather than free public drop box providers.

Back to top

Management of Passcodes and Passwords

  • When creating a password, it is recommended to choose a complicated one that cannot easily be guessed. Encourage employees to choose an alphanumeric password with a combination of special characters to make it stronger. Passwords should always be different from the username. If possible, it is wise to change passwords periodically.
  • Activate screensaver passwords to lock computers which are not in use after a specified period of time.
  • After installing new software on your computers, be sure to change the default password supplied by the vendor. Remember to use a strong password to discourage hacking and other fraudulent activities.
  • Prohibit employees from divulging their passwords or writing them down and posting them on their desks.
  • Block users who key in the incorrect password after a specified number of login attempts.
  • Caution employees against giving out their passwords to anyone who claims to be calling from the IT department. Fake calls intended to trick employees into giving out sensitive information are common within companies. Frequently remind employees that it is strict company policy to NEVER divulge passwords to others.

QFrom time to time, members of our staff need the financial information of our customers that is stored in a password-protected database. In order to easily remember the access information, we use our company name as the password. Could this raise the possibility of our data being compromised?

AYes, it will inevitably lead to security troubles. When trying to hack accounts, hackers will begin by trying words which are most likely to be used as passwords. One of these is your company name. To counter incidents of hacking, always use strong and complicated passwords which are a combination of numbers, letters, and special characters. It is also crucial that you change your passwords from time to time.

Back to top

Laptop Safety

  • Limit laptop use to those with a business need for mobile computing in order to carry out work-related tasks.
  • Identify sensitive information stored in your laptop and determine the data that no longer needs to be stored. If specific information is no longer necessary, delete it using a wiping program which overwrites the information on the computer. Using the standard keyboard command or mouse procedure for deleting files is not enough to totally wipe the information from your hard drive.
  • Ensure that laptops have secure storage, or use locks and wires to securely hold laptops in each employee’s workstation.
  • If possible, allow employees to access sensitive data through their laptop but restrict the ability to store this information. Using this method, data is stored in a secure central system and the laptops serve as terminals that display the data from the central computer without creating local copies. For even more stringent security, access to the central computer would require a thumb print or other biometric authentication coupled with a password.
  • For laptops which must store sensitive information, encrypt the information and manipulate the settings in such a way that users cannot download or install any software that will make unauthorized changes to the security settings for the encrypted data.
  • Always remind employees to be extra vigilant while traveling. Teach them some basic yet significant practices for ensuring security. For instance, require that they always keep the laptops and storage devices in their presence and never leave them in areas where they cannot keep a close watch.

Back to top

Firewalls

  • It should be a company requirement to enable a firewall for all computers. A firewall makes it difficult for hackers to remotely access your computer. If your firewall settings are properly configured, any attempts to locate your system and gain access to your files will be prevented.
  • Depending on the need, you may also choose to install a border firewall which isolates your network from the Internet and can hinder attempts to illegally access a computer where sensitive personal information is stored.
  • Install additional firewalls on computers where sensitive information is stored if other computers in the same network are not storing the same data.
  • Enable firewall access controls and review them regularly to keep track of the data that will be accessible and the number of employees who are allowed to access this data.

Back to top

Wireless and Remote Access

  • Determine whether your company uses wireless devices or cellular phones to send and receive sensitive data. If this is the case, limit those who can use such devices to access your computer network.
  • Encrypt data that’s transmitted from wireless devices to your computer network and when allowing remote access to your computer for troubleshooting or updating software. This makes it more difficult for hackers to access the information. This also discourages spoofing, which is practice of outside parties impersonating your computers in order to gain access to your network.

Back to top

Detecting Breaches

  • Maintain a central log file for all information involving security in order to keep track of what is taking place in your network and more effectively detect and deal with attacks. Should there be any attacks on your computer the central log will provide information that can help you determine which computer has been attacked.
  • Install a system for detecting intrusion. This intrusion-detecting equipment should be updated regularly to maintain the capability of responding to new kinds of threats.
  • Keep a close watch on incoming traffic and user activity for indications of possible security violations.
  • Outgoing traffic should also be monitored. Always check if there are unusual amounts of data being sent from your network to an unknown recipient.

Back to top

Training of Employees

No matter how in-depth your written plan for information security is, the success of the plan depends on those who execute it. In order to ensure effectiveness, take the time to sit down with your employees and thoroughly explain the rules. Provide them with proper and sufficient training in identifying security issues and vulnerabilities. Schedule regular training sessions to make sure your employees possess a complete understanding of the security practices utilized by your company.

  • Before hiring people who will be dealing with sensitive information, run a thorough background check to ensure that the information you are protecting will not be violated.
  • All new employees should be required to sign an agreement stating that they will always conform to your organization's rules involving confidentiality and security of sensitive information. Constantly remind the employees of these rules and policies to ensure that no sensitive data will be compromised.
  • If an employee leaves your company or transfers to another department, make it standard operating procedure to remove that employee's access to sensitive information. Disable passwords and ask them to return IDs, keys and other related items as part of the departure process.
  • Instill in your employees the value of information security by conducting regular employee trainings including all employees in all departments and levels. Make it a priority to inform employees about new risks involving information security.
  • Constantly remind employees about your company's information security policies. If possible, post printouts of these policies in employee workstations or wherever sensitive data is stored. Your information security policies should apply to employees who work from home or and those who telecommute.
  • Make your employees aware of phone phishing. Remind them to always be cautious when strangers call to ask for account details in order to complete transactions. Employees should verify calls by contacting the companies through their official contact numbers.
  • Tell employees to inform you right away should there be any possible incidents of security violation or breach.
  • Enforce strict disciplinary procedures for any employee violation of security rules.
  • To learn more about computer security, you can visit www.onguardonline.gov for further information.

QThere are some employees in our company who are not adept with computers and technology. What measures can our IT professionals take to ensure protection from common types of hacking?

ALet your IT people check your computer settings to make sure that your systems are protected from attempts of fraud. Check out computer technology websites or forums to update yourself on new types of threats and ways to address them.

Back to top

Security Practices for Contractors and Service Providers

The efficiency and effectiveness of your company's security practices depend on those who carry it out, including service providers and contractors.

  • Prior to hiring outside services for your business processes, learn as much as possible about the contractor/provider's information security practices and determine whether they meet your standards and expectations.
  • Raise security concerns with your service providers according to the type of data that they should deal with, as indicated in your contract with them.
  • Remind your service providers to keep you informed of security incidents that they encounter even if they do not directly affect your data.

Back to top

Remove What's Unnecessary

Trim down non-critical data, but do it with proper precaution.

Sure, you can easily organize files and documents by throwing the unnecessary ones straight into the trash bin. But when you're dealing with personally identifying data, merely throwing it into the trash could be an invitation to fraud and identity theft. It is extremely important to render the information unreadable before disposing of it. This will ensure that any attempts of fraud will be foiled.

  • Enforce sufficient and appropriate measures for the proper disposal of information to prevent illegal or unauthorized use of the sensitive information. The development of these measures may be based on various factors, such as the degree of sensitivity of the data, changes in current technology and disposal methods.
  • Properly dispose of paper files that are no longer necessary by shredding them before throwing them away.
  • Use a wiping program to delete information from old computers and storage devices. Wipe utility programs overwrite information on the computer. Using the standard methods of deletion for removing files is not enough to totally wipe the information from your hard drive.
  • If your business uses consumer credit reports, check out business.ftc.gov/privacy-and-security to learn more about the disposal rules of the FTC.

QConsidering the nature of our business (which entails collection of credit applications) we normally receive a great deal of financial information from customers. When we're done with the applications, we make it a point to properly dispose of it. Are we doing enough?

AFrankly, no. You may have disposed of it, but there are others that may still be able to discern information from what you have thrown away. Make sure the data can no longer be read or recognized to ensure that there is no way of utilizing it for illegal purposes. Create a standard procedure such as shredding the paper files before actually throwing them away in the garbage.

Back to top

Be Prepared for the Worst

Devise a strategy for dealing with unfortunate events involving security breach.

Constantly pursuing measures to keep sensitive information safe is vital to thwarting plans of fraud and theft. The following measures can minimize the severity of problems that your business and people may be forced to deal with:

  • Always maintain readiness with steps and procedures formulated as a response to security breach. Assign competent staff to carry out the procedures.
  • If you can determine that a computer has been hacked or illegally accessed, be sure to immediately disconnect the computer from the Internet.
  • Identify the people who must be notified in cases of compromised security. If you are unsure of who to notify, you should consult your lawyer on the subject.

QI run a small business. If I do implement these security plans, will I have to shell out a big amount of money?

ANot necessarily. The kind of information security that you require would depend on the size and nature of your business. The most practical and effective measures would not cost anything at all. Basic practices like using strong and complicated passwords, educating employees on the importance of information security, and locking up storage rooms and file cabinets can greatly assist in ensuring that sensitive information will be kept safe. You can also research non-profit websites for cheaper information security tools.

Back to top