Most companies need to keep sensitive information for their employees or customers on file such as socials security numbers, credit cards, or other personal indentifying data. Personal information is used on a daily basis to perform necessary business functions such as payroll, purchasing and selling. Safeguarding such personal information is critical. If a company’s sensitive data were to fall into the wrong hands, the results of the loss of your customer’s trust and a possible lawsuit could be devastating.

Regardless of whether a business keeps such information in paper files, in or on desks, or in electronic form, it is necessary to develop a reliable data security plan.

Below are five suggestions to get you started in developing your company’s data security plan:

Take an Inventory

Determine what sensitive personal information you have and list what it is and where it is located in your filing system and on all your computers. Be sure to include all flash drives, external hard drives, disks and home computers containing this information. Discuss the use of sensitive personal information with personnel in each department of your business to have a clear understanding of how, when and where all types of information will be used.

It’s essential to also to be in compliance with existing statutes like the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Federal Trade Commission Act which require business to provide reasonable security for personal sensitive information.

Eliminate what you don’t need

Retain sensitive data in your system only as long as you have a good business reason to have it. A good example is the use of customer credit card numbers. Check the defaults on your processing software that reads a customer’s credit or debit card for transactions – some systems are preset to keep the information indefinitely. Change the setting to a reasonable period of time. A great way to reduce fraud and identity theft is to dispose of sensitive information in a proper way; if it’s not in your system it cannot be stolen.

If you must keep certain information for business reasons or to comply with the law, make sure to develop a written records policy that identifies what information must be kept, how to secure it, and how to dispose of it securely when it’s no longer needed.

Keep it under lock and key

The most successful data security plans will contain four key security components: physical, electronic, employee training, and the security practices of contractors and service providers.

Physical security – paper documents, disks of any kind and portable hard drives containing sensitive information must be stored in a locked file cabinet or room. Employee access needs to be limited based on business need and controlled by key staff.

Electronic security – it is every computer user’s responsibility to maintain. Ensure you have general network system security and strongly rated password on all software and files. Encrypt sensitive information you sent over the Internet. Run updated virus and anti-spyware programs on individual computers and all servers on your network. When you receive or transmit credit card information or other sensitive financial data use Secure Sockets Layer (SSL) or another secure connection that will protect your information while in transit. If Laptop computers are issued to employees, restrict use to only the programs needed to perform their jobs and require secure storage when not in use.

Employee training – provide the company’s security plan to each employee. In addition to explaining the plan, require them to read and implement all aspects of the plan. Do follow-up training sessions emphasizing the importance of meaningful data security practices. A well trained workforce is the best defense against data breaches and identity theft.

Security practices of contractors and service providers – investigate the contractor or provider’s data security practices and compare them to yours. Get to know them by visiting their facility. Discuss in depth your security issues for the type of data they will be handling for you. Insist that your contractors and providers notify you of all security incidents they encounter, even if the incidents may not have led to an actual compromise of your data.

Throw it out

Sensitive personal information no longer needed for business operations must be properly disposed of. Implement disposal practices that are reasonable and appropriate for your organization based on the sensitivity of the information. Shredding, burning or pulverizing can properly dispose paper records. Utility programs that wipe hard drives need to used on old computers and portable storage devices prior to disposal. Make sure employees working from home follow the same procedures as the business headquarters. Be informed of the FTC’s Disposal Rule, you may be subject to specific rules of disposal of sensitive information.

Look to the future

Develop a plan for responding to security incidents that may occur. Investigate security incidents immediately and take steps to close off existing vulnerabilities or threats to sensitive information. Figure out whom to notify in the event of an incident – both inside and outside your business. Consumers, law enforcement, credit bureaus and other businesses may need to be contacted if a security breach occurs. Many states and federal bank regulatory agencies have laws or guidelines dealing with data breaches.

Please consider these additional resources to help you design, develop, and implement your plan to protect your company’s sensitive information:

Federal Trade Commission’s Interactive Tutorial

SANS (SysAdmin, Audit, Network, Security) Institute’s Most Critical Internet Security Vulnerabilities

Carnegie Mellon Software Engineering Institute’s CERT Coordination Center

OnGuard Online