By Lesley Fair

Sometimes the key to data security is an old-fashioned lock. Protecting Personal Information: A Guide for Business, a new handbook from the Federal Trade Commission, offers advice on protecting your customers and employees by securing sensitive data. One important tip: Lock it — Protect the information that you keep.

• Lock, stock — or peril. Computer defenses can be critical, but when it comes to protecting personal information, don’t forget “old school” physical security, too. Discourage light-fingered passersby by making sure every employee has a secure drawer or locker. Centralize sensitive paperwork and limit access to employees with a legitimate business need. Remind them not to leave documents out when they step away from their desks. Shipping data offsite? Consider encrypting it and using a mailing method that will allow you to track the package en route.
• Barbarians at the gate. Viruses, spyware, and other invaders will attack an unprotected computer in just seconds. Your tech staff has sophisticated defensive tools at their disposal, but be sure to remind your employees that electronic security is everybody’s business. Use strong passwords (the longer, the better) and require your staff — including the ones who wreathe their computer screens with passwords scrawled on sticky notes — to store them securely and change them regularly. Ask your IT people to install an intrusion detection system to tip them off to network breaches. Monitor incoming and outgoing traffic for higher-than-average use at unusual times of the day. Check expert resources like www.sans.org and your software vendors’ websites for alerts about the latest vulnerabilities and vendor-approved patches.
• We have met the enemy and he is us. Hackers certainly pose a threat, but sometimes the biggest risk to a company’s security is an otherwise conscientious employee who hasn’t learned the basics about protecting personal information. Create a culture of security by implementing a regular schedule of employee training. Make it clear to new staff that abiding by your company’s data security plan is an essential part of their job. Make account data, credit card numbers, or other sensitive information available only on a “need to know” basis. Have a procedure in place for making sure that workers who leave your employ or move to another part of the business no longer have access to off-limits information.
• Trust, but verify. That Cold War phrase should describe your approach to the security practices of your contractors and service providers. Before outsourcing any of your business functions — payroll, web hosting, call center operations, data processing, fulfillment, and the like — investigate the company’s data security practices and compare their standards to your own. Make sure your expectations and requirements are spelled out in the contract and build in a way for you to monitor their performance. Insist that contractors and service providers notify you immediately if they experience a security incident, even if it may not have led to an actual compromise of your data.

Get your copy of Protecting Personal Information: A Guide for Business at business.ftc.gov.

Lesley Fair is an attorney in the FTC’s Bureau of Consumer Protection who specializes in business compliance.

 July 2007