A Checklist for Protecting Personal Information

By Julia Siripurapu

Customers care a great deal about how companies handle their personal and financial information as do government regulators in the United States and abroad.  Build a strong data security program and establish a track record as a responsible custodian of sensitive information.  Doing so is good for business and good for your customers. Please note that some states, like Massachusetts, require a written information security program - if your business owns, stores, or licenses the personal information of Massachusetts residents, you must have a written information security program and that program must be appropriately vetted, implemented with proper training of employees, and it must be revisited from time to time to ensure that it is still consistent with your operations.

At a high level, a comprehensive information security program must address unique aspects of your industry, your business, including your systems and resources, the nature and amount of information you collect, your regulatory requirements, and the locations where you operate or target customers, to name just some of the relevant considerations.  Far more than we can cover in this blog post. Below is: (1) a checklist to highlight a few key points to keep in mind as you prepare an information security program or evaluate your current information security program and (2) links to a number of resources to get you started.  

Data Security Checklist:

___ Understand and comply with your regulatory requirements. If you operate in a regulated industry there may be specific information security and data protection requirements that you will have to understand and comply with. For example, if you collect protected health information, you will have to be familiar and comply with the Health Insurance Portability and Accountability Act (HIPAA).

___ Establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information you collect from customers. Personal information includes everything from social security numbers to financial information to biographical data. All such information must be securely handled and stored at the time it is collected and during its entire lifecycle in your custody. To find out what constitutes “personal information” under the various state data security breach notification laws, check out our Mintz Matrix.

___ Be vigilant about physical security.  Many data breaches occur by leaving sensitive information lying around the office.  Keep documents containing sensitive data and personally identifiable information locked up.  A clean desk is a safe desk

___ Encrypt.  When transmitting sensitive information, make sure it is encrypted and transmitted over a secure connection.   This is not only a privacy and information security “best practice,” it is also required by several laws and industry body regulations, including the HITECH Act (for electronic protected health information), the Massachusetts data security regulations, and the Payment Card Industry Data Security Standards (for credit card information).

___ Password Policies.  Develop a culture of awareness and responsibility about data security and start by implementing a rigorous password policy.  Confirm that your employees comply with this policy.    

___ Invest in information security resources.  For example use a secure connection such as Secure Sockets Layer (SSL) when sending or receiving credit card information or other financial data over the internet.  Also regularly run anti-virus and anti-spyware programs and deploy a firewall to protect your systems and network from external threats.

___ Collect and retain as little personal information as possible.  The easiest way to reduce your risk profile is to limit what you collect and retain.  Minimize what you take in and keep sensitive information only as long as reasonably necessary to fulfill the collection purpose.

___ Securely delete personal information you no longer need to retain.  Know what information you have in your cabinets or on your systems and properly dispose of anything that is no longer serving a legitimate business need. If you no longer need files or documents containing sensitive information, destroy them using proper methods.  Using a secure file deletion program or an “e-shredder” is an effective way to destroy electronic copies.  Again, this isn’t just “best practice” in many situations — it’s the law (e.g., FTC Disposal Rule, Mass. Gen. Law 93I, HIPAA Privacy Rule).

___ Know your service providers. Do your diligence to understand your service providers’ data security practices.  Release your customers’ personal information only to third parties capable of maintaining its confidentiality, security and integrity and get those assurances in writing.

___ Train your employees.  Conduct trainings focused on confidentiality, privacy and data security and ask your employees to certify that they have read and understand your policies.  Require fresh trainings and certifications every year.  If an employee is terminated, make sure that person returns all records and equipment with sensitive information and that she or he will no longer have access to your systems.

___ Update your policies and procedures.  Reassess your security measures periodically and re-train your employees.  Consider hiring a reputable independent firm to conduct a security audit as early as you can afford it.

___ Monitor your systems.  Be proactive about protecting your systems and your customers. Monitor your physical spaces, online network and systems and develop strategies to detect security breaches.  Understand your vulnerabilities and encourage employees to report anything suspicious.

___ Develop a response plan.  Prepare procedures for responding to data breaches and security incidents in order to mitigate the damage to your business and to your customers in the event that your systems or security are compromised.

Some Useful Resources:

Federal Trade Commission (FTC) guidelines reflect best practices and provide some insight as to how the FTC may focus its enforcement activity.  The following two FTC guides on data security may be helpful:

1.      Protecting Personal Information: A Guide for Business

2.      Start with Security: A Guide For Business (Lessons Learned from FTC Cases)

Here are other materials you may find helpful:

3.      Massachusetts Office of Consumer Affairs and Business Regulation: A Small Business Guide: Formulating A Comprehensive Written Information Security Program

4.      U.S. Small Business Administration’s How Small Businesses Can Protect and Secure Customer Information

Also be sure to check out our Privacy and Security Matters Blog for resources and up to date information on data security and privacy.