In order to work with customers, businesses need to collect information from them to process orders. For instance, if you’re shipping a product then you need to know the mailing address. Companies often keep this information after an order for many reasons, including expediting future orders or for marketing purposes. But in the wrong hands, that information can be used to commit identity theft.
If a company allows personal information leak, that’s bad news. It’s not just bad for consumers, but companies can also get punished by the FTC. What can you do to reduce the chances of identity theft while still getting the information you need? The FTC has outlined five steps to follow.
First, you need to know what information you have on your customers right now and where it is stored. You also need to know how your company receives personal information and what kinds of information are collected at each point of contact. Finally, you need to know who has access to the information and why.
This can be trickier than you think. Laptops, mobile devices, flash drives, copiers, even home computers could all contain sensitive information. Information can be gathered directly by the company or by a third-party. Sales and Marketing may have one set of data, while Customer Service has another. All of this information needs to be inventoried.
If there isn’t a legitimate business need to keep a piece of data on a customer, don’t keep it. Better still, don’t ask for it in the first place. The more information you collect, the more you have to protect and the easier it is for a hacker to use that information to create a customer profile strong enough to commit identity theft. Employees should only have access to the consumer information they need to complete their jobs and no more. Also, be sure that external data-collecting applications, like a website or a mobile app, follow these rules.
Once you have the information you need, it must be protected. You must consider four elements:
• Physical security of information
• Digital security of information
• Employee training on the handling of information
• Understanding the security practices of contractors and service providers
If any one of these four is weak that is a route for information to get stolen. These are complex subjects, but the FTC has a good overview of what to consider for each of them on their website. Digital security is the most likely route for identity theft. Even a small business is at risk and should take precautions.
Quite simply, if the information is no longer needed then it must be deleted. But it must be done properly. An unbroken CD with information found in a trash can or a pile of credit card transactions in a bag is pay dirt for an information thief. Papers must be shredded and digital media securely erased to prevent information theft. Employees must also follow these procedures for anything they take home as part of their work duties.
Plan For It
No plan for information security is perfect. Information thieves keep coming up with new ways to get information and they only need to succeed once. That’s why you must also create a plan on how to handle breaches if one is detected. At a minimum, the plan needs to identify the breach, close the breach, document what happened, notify any affected customers or agencies, and come up with a solution to prevent that attack from working in the future. Having a current plan on file and following it can help reduce the hit to a company’s reputation if data is stolen.
David McKenzie, lawyer and founder of McKenzie Law Firm states, “Identity theft is a very popular way of committing white-collar crimes. Unfortunately, our personal information is also very valuable to companies and advertisers who want to sell things to us. Companies have to guard this information carefully to prevent it from getting into the wrong hands.” Follow these steps and you’ll go a long way to doing just that.