Protect Customer Information
Data Security Should Be Standard
By Ricardo Harvin
On June 1, the Federal Trade Commission (FTC) issued a new rule under the existing Fair and Accurate Credit Transactions Act of 2003 (FACTA) that requires businesses—small and large—and individuals to dispose of sensitive information derived from consumer reports. Under the new FACTA Disposal Rule, if you use consumer reports—including customer credit reports, employee background checks, or tenant histories—you are now obligated to dispose of this information using methods that are deemed "reasonable and appropriate."
This new rule is intended to help protect consumer data and prevent identity theft, and it applies to the disposal of both paper and electronic information. However, the rule neither contains provisions for how consumer report information should be stored nor places restrictions on how long it should be kept.
Even if you don't use consumer report information and your records aren't specifically covered under the rule, now is a good time to review how you handle all the customer—and employee—data you gather.
Practices to Follow
Make sure you limit access to information only to those people in your company who need it and only for the period of time required. Nonemployees should never have unsupervised access to your customer or employee records.
Despite the real threat of theft by outsiders, in most cases when company information is stolen, it involves either someone working for the victimized company or a nonemployee who has access to areas where that data is stored.
If you store your information electronically, at a minimum, you should use strong passwords to lock your files. Your passwords should include both numbers and letters—but not words that can be found in a dictionary. For maximum security, you should also use a strong encryption program to turn the information in your files into code that can't be deciphered without the correct key.
While the new FTC rule tells you how to dispose of consumer report information, protecting your company's data each step of the way should be an everyday part of how you do business.
And if you don't think that protecting consumer information needs to be a standard part of doing business, just think of all the places that have your credit card and other financial data—don't you want them to handle your information with the same amount of care?
For additional coverage on technology issues, go to www.uschamber.com/goto/techtools.
- www.ftc.gov/opa/2005/06/disposal.htm — FTC FACTA Disposal Rule
- www.ftc.gov/bcp/conline/pubs/alerts/disposalalrt.htm — Explanation of the Disposal Rule
- http://www.epic.org/ — News securing electronic information and links to encryption software