Most companies keep sensitive personal information in their files and on their computers (names, Social Security Numbers, insurance numbers, account data, etc.) that identifies customers or employees. Businesses need this information to fill orders, meet payroll or perform other necessary business functions. However, if sensitive data falls into the wrong hands, it can lead to identity theft and potentially….FRAUD. Safeguarding sensitive data is just plain good business. Even if your industry or business does not have to comply with current Federal and/or State confidentiality laws (such as the Red Flag regulations), what steps should you be taking to protect personal information at your company?
Listed below and on the next page are 15 ways to protect sensitive information in your organization. Next month, we’ll provide our readers with 15 MORE ways to make their workplace more ’identity theft-proof’.
1. Do you have a written policy in place to ensure that sensitive, confidential paperwork is unreadable before you throw it away? Have shredders by every work station where sensitive data is handled; if an area has a large amount of sensitive paperwork to be shredded, consider hiring a third party company to shred and dispose of the material.
2. Do you have a system in place defining how all personal information on customers and employees are destroyed once it is no longer needed? Having shredders available is just one step. Be sure you have identified all forms, letters, files, etc. that contain personal identification then have written specific steps on what needs to occur when a specific form, etc. must be destroyed.
3. Do you check references and/or complete background checks before hiring employees who will have access to sensitive data? Companies can significantly reduce their exposure to internal criminal risk if they follow a policy of checking both references AND backgrounds prior to hire. If they do so, they need to have the appropriate forms for potential employees to sign that gives them permission to seek this information. Because potential employees must provide confidential information for background checks to be completed, the company will be subject to Red Flag regulations (see question 4)
4. Is your company subject to Red Flag regulations? The Red Flag Rules require financial institutions and creditors to implement a written Identity Theft Protection Program to detect, prevent and mitigate identity theft in connection with new and existing “covered accounts”.
5. Have you appointed someone within your management team as Information Security Officer? Because a majority of identity breaches occur through a company’s technology, the Information Security Officer is usually someone in the IT department who can keep abreast of the latest threats and make adjustments rapidly.
6. Do you ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data? This form should be part of every new hire packet; regardless of how little the new employee will be exposed to confidential data.
7. Do you audit your confidentiality agreements periodically to be certain no employee has been missed? Not only should a company audit these agreements to assure all have signed them, but the document itself needs to be reviewed at least on an annual basis to assure it covers all the areas needed to protect the identity of clients, the vendors, the company and its employees.
8. Do all employees understand that abiding by your company’s data security plan is an essential part of their duties? Data security responsibilities and tasks need to be included in the employees’ job descriptions to focus their attention that abiding by the policies and procedures of the security plan is an important part of their job.
9. Do you regularly conduct training to remind employees of your company’s policy—and any legal requirement—to keep customer information secure and confidential? Training…and enforcing…are key to assuring your policies are followed consistently.
10. Do you limit access to personal information to only those employees with a “need to know”? Sensitive information is needed for some tasks to be completed adequately. Companies have a duty, however, to assure that only those who need the information to complete their job have access to it.
11. Are your fax machines in a secure area? While you can control most of the information that leaves your office, you also need to take adequate steps to assure that information coming to your office through your fax machines are handled in a secure environment.
12. Do you have a policy for receiving mail to assure only approved employees have access to confidential information? Different departments might receive mail that has sensitive information enclosed; however, steps should be taken to assure that only those who need the information have access to it.
13. Do you review how confidential personal information is stored and accessed? The company must take adequate precautions that all departments and branches follow the same policies and procedures when it comes to personal information storage and retrieval. If the company has employees that travel with technology that contains sensitive information, policies and procedures need to be applied consistently through the organization. Examples would be policies for employees who store customer information on their PDAs, for safeguarding financial information being stored on an employee’s laptop who sometimes works from home, for an outside salesperson who’s Blackberry contains sensitive emails from the home office, etc.
14. Do you regularly assess what personal information you really need to collect? Just a few years ago, many job applications asked for the social security number and most insurance companies used the insured’s social security number as their policy number. Companies must constantly manage their risk for identity theft exposure by limiting access (and collection) of personal information wherever and whenever possible.
15. Do you keep all written confidential information such as employee personnel files and customer information in locked file cabinets? It may seem obvious, but too often sensitive information falls into the wrong hands not because of some complicated technology breach but because a file door was left unlocked…or there was no lock on it in the first place.