For companies attempting to implement security measures for the safekeeping of their customers’ and employees’ personal information, the Federal Trade Commission’s (“FTC”) newly released guidelines may be of assistance. The FTC’s guide entitled “Protecting Personal Information: A Guide for Business” designates fi ve critical principles that companies should follow when dealing with security issues relating to personal information.
Take Stock: Know What Personal Information You Have on Your Computers
The FTC guide recommends that every business assess what types of personal information it possesses and identify which individuals have access to that information. The FTC advises that companies make an inventory of all of the computer systems they use for storing secured data, such as computers, servers, laptops, disks, and backup tapes.
Scale Down: Keep Only What You Need to Conduct Business
Unless the retention of sensitive personal information has a legitimate business purpose, businesses should not retain such information beyond applicable retention requirements. If a business’s software settings automatically keep personal information, those settings should be changed to avoid permanent retention of information. For companies that have to retain information for business purposes or for compliance with the law, a written records retention policy should be established.
Lock It: Protect the Information That You Keep
The FTC highlights the four aspects of a highly effective data security plan: (1) physical security; (2) electronic security; (3) employee training; and (4) security practices of contractors and service providers. Regarding physical security, the FTC encourages businesses to limit access to hard-copy information as well as computer fi les, Zip drives, and backup tapes. Businesses also may improve electronic security and manage for risk by examining their employees’ usage of passwords, laptops, and wireless and remote access. The FTC also underscores the importance of providing proper training to employees regarding the use, retention, and disposal of sensitive personal information. Lastly, companies should establish an open dialogue with any contractors or service providers they use in order to effectively handle security issues as they arise.
Pitch It: Properly Dispose of What You No Longer Need
To minimize security breaches, companies should develop specifi c disposal practices to discard sensitive information that no longer needs to be retained. Unnecessary papers should be shredded, burned, or otherwise destroyed in accordance with the FACTA Disposal Rule. EN.16 C.F.R. § 682. Old computers and other storage devices should be disposed of through wipe utility programs.
Plan Ahead: Create a Plan for Responding to Security Incidents
Companies should establish response plans that include immediate investigation of breaches and prompt notifi cation to the customers, fi nancial institutions, and other entities affected by incidents. Planning and preparing for security incidents will facilitate a prompt business response in the event that a security breach actually happens.
While the FTC guide offers an overview of data security principles, it is not an exhaustive list of the security practices that businesses should be using in their day-to-day functions. Companies should use the guide as a starting point for planning their data security policies and consult with counsel to determine the reasonableness and defensibility of such policies. Ultimately, to safeguard personal information belonging to both customers and employees, companies will need to be mindful of how compliance with the FTC recommendations will impact the specifi c needs of their businesses.