The General Ledger
Posted: June 10th, 2008 @ 11:34am
- New Federal Trade Commission (FTC) ID-theft campaign. A company’s records of personal data on employees and their dependents, its customers and others are a gold mine to data thieves, who will pose as employees, bribe insiders, even go through company trash bins, to get their hands on them. The new FTC campaign to alert businesses stresses 5 principles of data security:
- Know what personal information is in company files and on your computer. This is the first step to good data security. Places to check include file cabinets, computer hard drives, network drives, e-mails, thumb drives, disks, laptops, tapes, etc. Payroll and HR have access to personal data on employees and dependents, including names, addresses, SSNs and bank account numbers. Focus on: SSNs, the goal of every identity thief. Other data enhances misuse of SSNs. To find all possible sources of data, track how data moves through your company. AIPB personal tip: Don’t carry- and tell employees not to carry- their Social Security card and credit card in the same wallet, in case the wallet is stolen.
- If there is no business need for personal information-don’t ask for it. If you have business reasons for storing personal information, develop a written records-retention policy that covers what is to be kept, for how long, and how to dispose of it properly. Until a job applicant is hired, don’t ask for an SSN. Discuss with the company attorney a policy for storing or disposing of job applications from rejected applicants.
Check software defaults to see what information is kept automatically. The FTC recommends changing default settings so that no unneeded information in inadvertently retained.
Be equally cautious with customer data. Nearly 90% of consumers have been asked for their SSN, according to the FTC, and many provide it for fear that services may be denied if they do not.
3. Protect stored information. The best method for storing sensitive data depends on what the data are. The FTC cites 4 key factors:
a. Physical security. Lock doors and cabinets, implement clean-desk rules, monitor offsite storage, and track package shipments.
b. Electronic security. Get contributions from your systems people, but do not make it their job; generally, users are the weak link. To improve network security, require and manage strong passwords (PWs), discourage PW sharing, and require PWs to be changed regularly. Require users to immediately change default PWs provided by your systems people or vendors.
For laptops, the FTC urges limiting use to only those who need them for their job. Storing sensitive data on laptops is high risk, so consider requiring laptops to access central computers for these data and prohibit storing it on laptops. Consider providing cords and locks so that units can be fastened securely to desks or tabletops.
c. Employee training. The best defense against data and ID theft is a well-trained workforce.
FTC recommendation: Make sure new hires understand your confidentiality and security rules. Train employees in the security for their job, how to recognize potential threats, and what to do.
When hiring, do background checks on applicants for jobs that have access to sensitive data.
d. Service-provider security. Before using payroll, DP, Web hosting, or customer call services, check out vendor security procedures.
4. Be methodical about disposal- as methodical as you are about storage. Require payroll and HR to do whatever it takes to make sure that disposed-of personally identifiable information cannot be read or reconstructed. Simply deleting data on a hard drive does not prevent its restoration. Require software that overwrites data on all computer and portable storage devices.
5. Have a response plan for breaches. Security breaches occur daily in all firms; be prepared. Include in the plan notification of law enforcement, customers, consumers, employees, credit bureaus, and others who may be affected by a breach.
