Federal Trade Commission | business.ftc.gov
A Guide for Business
Most companies keep sensitive personal information in their files—names, Social Security numbers, credit card, or other account data—that identifies customers or employees.
This information often is necessary to fill orders, meet payroll, or perform other necessary business functions. However, if sensitive data falls into the wrong hands, it can lead to fraud, identity theft, or similar harms. Given the cost of a security breach—losing your customers’ trust and perhaps even defending yourself against a lawsuit—safeguarding personal information is just plain good business.
Some businesses may have the expertise in-house to implement an appropriate plan. Others may find it helpful to hire a contractor. Regardless of the size—or nature—of your business, the principles in this brochure will go a long way toward helping you keep data secure.
A sound data security plan is built on 5 key principles:
1. TAKE STOCK.
Know what personal information you have in your files and on your computers.
2. SCALE DOWN.
Keep only what you need for your business.
3. LOCK IT.
Protect the information that you keep.
4. PITCH IT.
Properly dispose of what you no longer need.
5. PLAN AHEAD.
Create a plan to respond to security incidents. Use the checklists on the following pages to see how your company’s practices measure up—and where changes are necessary.
Know what personal information you have in your files and on your computers. Effective data security starts with assessing what information you have and identifying who has access to it. Understanding how personal information moves into, through, and out of your business and who has—or could have—access to it is essential to assessing security vulnerabilities. You can determine the best ways to secure the information only after you’ve traced how it flows.
●● Inventory all computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers, and other equipment to find out where your company stores sensitive data. Also, inventory the information you have by type and location. Your file cabinets and computer systems are a start, but remember: your business receives personal information in a number of ways—through websites, from contractors, from call centers, and the like. What about information saved on laptops, employees’ home computers, flash drives, digital copiers, and mobile devices? No inventory is complete until you check everywhere sensitive data might be stored.
●● Track personal information through your business by talking with your sales department, information technology staff, human resources office, accounting personnel, and outside service providers. Get a complete picture of:
►► Who sends sensitive personal information to your business. Do you get it from customers? Credit card companies? Banks or other financial institutions? Credit bureaus? Job applicants? Other businesses?
►► How your business receives personal information. Does it come to your business through a website? By email? Through the mail? Is it transmitted through cash registers in stores?
►► What kind of information you collect at each entry point. Do you get credit card information online? Does your accounting department keep information about customers’ checking accounts?
process credit card purchases. Consider implementing multi-factor authentication for access to your network. Digital CopiersYour information security plan should cover the digital copiers your company uses. The hard drive in a digital copier stores data about the documents it copies, prints, scans, faxes, or emails. If you don’t take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extraction once the drive hasbeen removed. Here are some tips about safeguards for sensitive data stored on the hard drives of digital copiers:
●● Get your IT staff involved when you’re thinking about getting a copier. Employees responsible for securing your computers also should be responsible for securing data on digital copiers.
●● When you’re buying or leasing a copier, consider data security features offered, either as standard equipment or as optional add-on kits. Typically, these features involve encryption and overwriting. Encryption scrambles the data on the hard drive so it can be read only by particular software. Overwriting— also known as file wiping or shredding—replaces the existing data with random characters, making it harder for someone to reconstruct a file.
●● Once you choose a copier, take advantage of all its security features. You may be able to set the number of times data is overwritten—generally, the more times the data is overwritten, the safer it is from being retrieved. In addition, make it an office practice to securely overwrite the entire hard drive at least once a month.
●● When you return or dispose of a copier, find out whether you can have the hard drive removed and destroyed, or overwrite the data on the hard drive. Have a skilled technician remove the hard drive to avoid the risk of breaking the machine. To find out more, read Copier Data Security: A Guide for Businesses at ftc.gov/privacy-and-security (click on Data Security).
●● To detect network breaches when they occur, consider using an intrusion detection system. To be effective, it must be updated frequently to address new types of hacking.
●● Maintain central log files of security-related information to monitor activity on your network so that you can spot and respond to attacks. If there is an attack on your network, the log will provide information that can identify the computers that have been compromised.
●● Monitor incoming traffic for signs that someone is trying to hack in. Keep an eye out for activity from new users, multiple log-in attempts from unknown users or computers, and higher-than-average traffic at unusual times of the day.
●● Monitor outgoing traffic for signs of a data breach. Watch for unexpectedly large amounts of data being transmitted from your system to an unknown user. If large amounts of information are being transmitted from your network, investigate to make sure the transmission is authorized.
●● Have in place and implement a breach response plan. See further down for more information.
Question:I’m not really a “tech” type. Are there steps our computer people can take to protect our system from common hack attacks?
Answer:Yes. There are simple fixes to protect your computers from some of the most common vulnerabilities. For example, a
threat called an “SQL injection attack” can give fraudsters access to sensitive data on your system. Protect your systems by keeping software updated and conducting periodic security reviews for your network. Bookmark the websites of groups like the Open Web Application Security Project, www.owasp.org, or SANS (SysAdmin, Audit, Network, Security) Institute’s The Top Cyber Security Riskshttps://www.sans.org/critical-security-controls/, for up-to-date information on the latest threats—and fixes. And check with your software vendors for patches that address new vulnerabilities. For more tips on keeping sensitive data secure, read Start with Security: A Guide for Business at ftc.gov/startwithsecurity.
Your data security plan may look great on paper, but it’s only as strong as the employees who implement it. Take time to explain the rules to your staff, and train them to spot security vulnerabilities. Periodic training emphasizes the importance you place on meaningful data security practices. A well-trained workforce is the best defense against identity theft and data breaches.
●● Check references or do background checks before hiring employees who will have access to sensitive data.
●● Ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data. Make sure they understand that abiding by your company’s data security plan is an essential part of their duties.
●● Regularly remind employees of your company’s policy—and any legal requirement—to keep customer information secure and confidential.
●● Know which employees have access to consumers’ sensitive personally identifying information. Pay particular attention to data like Social Security numbers and account numbers. Limit access to personal information to employees with a “need to know.”
●● Have a procedure in place for making sure that workers who leave your employ or transfer to another part of the company no longer have access to sensitive information. Terminate their passwords and collect keys and identification cards as part of the
●● Create a “culture of security” by implementing a regular schedule of employee training. Update employees as you find out about new risks and vulnerabilities. Make sure training includes employees at satellite offices, temporary help, and seasonal workers. If employees don’t attend, consider blocking their access to the network.
●● Train employees to recognize security threats. Tell them how to report suspicious activity and publicly reward employees who alert you to vulnerabilities. Visit ftc.gov/startwithsecurity to show them videos on vulnerabilities that could affect your company, along with practical guidance on how to reduce data security risks.
●● Tell employees about your company policies regarding keeping information secure and confidential. Post reminders in areas where sensitive information is used or stored, as well as where employees congregate. Make sure your policies cover employees who telecommute or access sensitive data from home or an offsite location.
●● Teach employees about the dangers of spear phishing—emails containing information that makes the emails look legitimate. These emails may appear to come from someone within your company, generally someone in a position of authority. Make it office policy to independently verify any emails requesting sensitive information. When verifying, do not reply to the email and do not use links, phone
numbers, or websites contained in the email.
●● Warn employees about phone phishing. Train them to be suspicious of unknown callers claiming to need account numbers to process an order or asking for customer or employee contact information. Make it office policy to double-check by contacting the
company using a phone number you know is genuine.
●● Require employees to notify you immediately if there is a potential security breach, such as a lost or stolen laptop.
●● Impose disciplinary measures for security policy violations.
●● For computer security tips, tutorials, and quizzes for everyone on your staff, visit www.ftc.gov/OnGuardOnline.
Security Practices of Contractors and Service Providers Your company’s security practices depend on the people who implement them, including contractors and service providers.
●● Before you outsource any of your business functions—payroll, web hosting, customer call center operations, data processing, or the like—investigate the company’s data security practices and compare their standards to yours. If possible, visit their facilities.
●● Put your security expectations in writing in contracts with service providers. Then, don’t just take their word for it—verify compliance.
●● Insist that your service providers notify you of any security incidents they experience, even if the incidents may not have led to an actual compromise of your data.
PITCH IT. Properly dispose of what you no longer need. What looks like a sack of trash to you can be a gold mine for an identity thief. Leaving credit card receipts or papers or CDs with personally identifying information in a dumpster facilitates fraud and exposes consumers to the risk of identity theft. By properly disposing of sensitive information, you ensure that it cannot be read or reconstructed.
●● Implement information disposal practices that are reasonable and appropriate to prevent unauthorized access to—or use of—personally identifying information. Reasonable measures for your operation are based on the sensitivity of the information, the
costs and benefits of different disposal methods, and changes in technology. SECURITY CHECK
Question: My company collects credit applications from customers. The form requires them to give us lots of financial information. Once we’re finished with the applications, we’re careful to throw them away. Is that sufficient?
Answer: No. Have a policy in place to ensure that sensitive paperwork is unreadable before you throw it away. Burn it, shred it, or pulverize it to make sure identity thieves can’t steal it from your trash.
●● Effectively dispose of paper records by shredding, burning, or pulverizing them before discarding. Make shredders available throughout the workplace, including next to the photocopier.
●● When disposing of old computers and portable storage devices, use software for securely erasing data, usually called wipe utility programs. They’re inexpensive and can provide better results by overwriting the entire hard drive so that the files are no longer recoverable. Deleting files using the keyboard or mouse commands usually isn’t sufficient because the files may continue to exist on the computer’s hard drive and could be retrieved easily.
●● Make sure employees who work from home follow the same procedures for disposing of sensitive documents and old computers and portable storage devices.
●● If you use consumer credit reports for a business purpose, you may be subject to the FTC’s Disposal Rule. For more information, see Disposing of Consumer Report Information? Rule Tells How at ftc.gov/privacy-and-security (click on Credit Reporting).
5. PLAN AHEAD.
Create a plan for responding to security incidents. Taking steps to protect data in your possession can go a long way toward preventing a security breach. Nevertheless, breaches can happen. Here’s how you can reduce the impact on your business, your employees, and your customers:
●● Have a plan in place to respond to security incidents. Designate a senior member of your staff to coordinate and implement the response plan.
●● If a computer is compromised, disconnect it immediately from your network.
●● Investigate security incidents immediately and take steps to close off existing vulnerabilities or threats to personal information.
●● Consider whom to notify in the event of an incident, both inside and outside your organization. You may need to notify consumers, law enforcement, customers, credit bureaus, and other businesses that may be affected by the breach. In addition, many states and the federal
bank regulatory agencies have laws or guidelines addressing data breaches. Consult your attorney.