On the heels of the Federal Trade Commission’s new guidance for companies hit with a data breach, the agency released updated advice for businesses that maintain personal information.
“Protecting Personal Information: A Guide for Business” relies on five principles: take stock, scale down, lock it, pitch it, and plan ahead.
“Take stock” refers to the agency’s advice that companies should know what personal information it has in its files and on its computers. Begin with an inventory, the FTC suggested, including computers, laptops, mobile devices, flash drives, disks, digital copiers, and home computers. The agency warned that “[n]o inventory is complete until you check everywhere sensitive data might be stored.” Companies should also consider who sends sensitive personal information to the business (such as credit bureaus or job applicants) and who has—or could have—access to the information.
Scale down, the FTC advised, keeping only what is needed for the business. “If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it,” the agency wrote. “In fact, don’t even collect it. If you have a legitimate business need for the information, keep it only as long as it’s necessary.” If the company uses a mobile app, ensure that it accesses only the data and functionality that it needs, the FTC said.
If information is necessary for business reasons or legal compliance, a company should develop a written records retention policy to “identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely when you no longer need it.”
The third principle, lock it, requires that companies protect the information that is kept using four elements: maintaining physical security, maintaining electronic security, training employees, and investigating the security practices of contractors and service providers. Data compromises can happen the old-fashioned way—through lost or stolen paper documents—the agency noted, as well as from hackers, so taking basic precautions such as locking offices or file drawers remains important. On the technology end, businesses should encrypt sensitive information sent to third parties over public networks and consider multifactor authentication, such as the use of a password and a code sent by different methods.
Don’t forget about third parties, the guidance stated. Before outsourcing any business functions (payroll or customer call center operations, for example), a company should investigate the service provider’s data security practices and compare them with industry standards. Security expectations should be included in written contracts.
Businesses must properly dispose of what is no longer needed under the principle of “pitch it.” Reasonable measures should be adopted for information disposal based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology. Paper records can be shredded or pulverized, the agency suggested, and wipe utility programs should be used before disposing of old computers and portable storage devices.
Finally, the FTC explained that businesses should create a plan for responding to security incidents under the principle of “plan ahead.” The plan should designate a senior staff member to coordinate and implement the response plan, include steps to investigate immediately, and address the issue of whom to notify about the incident.
To read the FTC’s new guidance, “Protecting Personal Information: A Guide For Business,” click here.
Why it matters: Most companies keep sensitive information in their files—names, Social Security numbers, credit cards, or other account data—that identifies customers or employees, the FTC said. While such data is often necessary for business purposes, companies can face significant costs as a result of a breach, from the loss of customer trust to a lawsuit. Businesses can take steps towards securing their data by establishing a sound data security plan built on the five principles found in the FTC’s guidance.