Upload
hoangnhu
View
218
Download
0
Embed Size (px)
Citation preview
Federal Trade CommissionPart I – Your Responsibilities Under the Law
A r t i c l e c o n t r i b u t e d b y B i l l C a f f e r t y ,
R e t a i l L o s s P r e v e n t i o n C o n s u l t a n t
August 2012LP CornerA monthly publication brought to you by the Retail Loss Prevention department. Providing
Ace Hardware retailers with professional, cost-effective loss prevention services since 1994.
This is the first in a series of four LP Corner articles that address federal statutory requirements with
which Ace retailers are required to comply. The purpose is to inform, educate, and provide “best practice”
guidance for compliance.
The Federal Trade Commission (FTC) is the federal regulatory agency that enforces antitrust and
trade practices laws. Among its many responsibilities and powers, it implements trade regulation rules
to define specific acts or practices that are unfair or deceptive and establishes requirements designed
to prevent such acts and practices. This article highlights some of the more significant rules, how they
impact the Ace retailer, and suggestions on how to stay in compliance. The source of the vast majority
of information presented in this article is the FTC website – www.ftc.gov.
PROTECTING PERSONAL INFORMATION
Most companies keep sensitive personal information in their files – names, Social Security numbers,
credit card or other account data – that identifies customers and associates. This information is
necessary to fill orders, meet payroll, and perform other business functions. However, if sensitive data
falls into the wrong hands, it can lead to fraud, identity theft, or similar harms.
A sound data security plan is built on 5 key principles.
1. Take stock – Know what personal information you have in your files and on your computers.
• Identify all computers, laptops, flash drives, disks, paper documents and files in your store that
contain personal data of customers and associates.
• Get a complete picture of who sends personal information to your business; how your business
receives personal information; what kind of personal information is received; what kind of
information do you collect from customers and associates; where you keep that information;
and who has – or could have – access to that information. Different types of information present
varying risks. Pay particular attention to how you keep customers’ and associates’ personal
information: Social Security numbers, credit card or financial information, and other sensitive
data. That’s what thieves use most often to commit fraud or identity theft.
• Contact your POS provider and confirm that your POS system is configured so that you are in
compliance with the Payment Card Industry (PCI) Data Security Standards (DSS).
2. Scale down – Keep only what you need for your business.
• Use Social Security numbers only for required and lawful purposes. Don’t use them unnecessarily
– for example, don’t use them for associate identification (even just the last four digits).
• The law (PCI Data Security Standards) requires you to shorten – or truncate – electronically
printed credit and debit card receipts you give to your customers. You may include no more
than the last five digits of the card numbers, and you must delete the expiration date. See
http://business.ftc.gov/documents/alt007-slip-showing-federal-law-requires-all-businesses-
truncate-credit-card-information-receipts for details.
• Do not keep customer credit card information unless you have a valid business need for it. If you
must retain it, it must be given adequate protection. You should also develop a written records
retention policy to identify what information must be kept, how to secure it, how long to keep it,
and how to dispose of it securely when you no longer need it.
• Contact your POS provider to verify that card numbers stored on your system are encrypted and
that they manage the encryption keys in accordance with PCI DSS.
NOTE: You may view and download a complete copy of the PCI DSS directive at
https://www.pcisecuritystandards.org/documents/pci_glossary_v20.pdf. The Ace Hardware contact for
PCI related questions is [email protected].
31_117952_0712
Mark your Chicago Convention
Calendars for FREE Retail Loss
Prevention Training!
Shoplifting PreventionThursday, August 16 1 to 2:30 p.m. Gain the knowledge you need to teach your associates to work as a team to identify and prevent shoplifting.
Associate TheftPreventionThursday, August 16 3:30 to 5 p.m. Associate dishonesty is the leading cause of store shrinkage. Learn how to identify associate dishonesty, approach the situation, and complete the interview/restitution/termination/prosecution process.
Epicor POS SecurityFriday, August 17 2:30 to 4:30 p.m. The number one place that associates take advantage of a store is at the point of sale. This session will walk store owners through ways to protect against POS theft.
CONTACT US:Phone: (630) 972-2670 www.acelossprevention.com
Remember ... SALES + LOSS PREVENTION = GOOD BUSINESS
Remember ... SALES + LOSS PREVENTION = GOOD BUSINESS
3. Lock it – Protect the information that you keep. Many data compromises happen the old-fashioned way – through lost or stolen
paper documents. Often, the best defense is a locked door or an alert associate.
Physical Security
• Store paper documents or files, as well as CDs, DVDs, floppy disks, thumb drives, zip drives, tapes, and any other backup media
containing personally identifiable information in a locked room or in a locked file cabinet. Limit access to associates with a
legitimate business need. Control who has keys, and the number of keys.
• Require associates to put files away, log off their computers, and lock their file cabinets and office doors at the end of the day, as
well as when absent for breaks during the day.
• If you maintain off-site storage facilities, limit associate access to those with a legitimate business need. Know if and when someone
accesses the storage site.
Electronic Security
• Identify the computers or servers where sensitive personal information is stored.
• Don’t store sensitive consumer data on any computer with an Internet connection unless it’s essential for conducting
your business.
• Assess the vulnerability of each connection (POS terminals, wireless devices, etc.) to your computers and servers. Depending on
your circumstances, appropriate assessments may range from having a knowledgeable associate run off-the-shelf security software
to having an independent professional conduct a full-scale security audit.
• Regularly run up-to-date anti-virus and anti-spyware programs on individual computers and on servers on your network.
• Control access to sensitive information by requiring that associates use strong passwords. Require an associate’s user name and
password to be different, and require frequent changes in passwords.
• Require every associate whose duties give them access to personal information of others to sign an agreement to follow your
company’s confidentiality and security standards for handling sensitive data. Make sure they understand that abiding by your
company’s data security plan is an essential part of their duties.
• Require associates to notify you immediately if they become aware of, or suspect, a breach of security.
• Consider asking those associates whose duties give them access to personal information of others to take the FTC’s plain-language,
interactive tutorial at http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html.
4. Pitch it – Properly dispose of what you no longer need.
• Implement formal information disposal practices that are reasonable and appropriate to prevent unauthorized access to – or use
of – personally identifying information.
• Effectively dispose of paper records by shredding, burning, or pulverizing them before discarding. Make shredders available,
including next to the photocopier.
• When disposing of old computer and portable storage devices, use disk wipe and/or file shredding programs to ensure that all
sensitive data files have been destroyed.
• If you use consumer credit reports, you may be subject to the FTC’s Disposal Rule. For more information, see
http://business.ftc.gov/documents/alt152-disposing-consumer-report-information-new-rule-tells-how.
5. Plan ahead – Create a plan to respond to security incidents. Taking steps to protect data in your possession can go a long way toward
preventing a security breach.
• If a computer is compromised, disconnect it immediately from the Internet.
• Investigate security incidents immediately and take steps to close off existing vulnerabilities or threats to personal information.
• Consider whom to notify in the event of an incident, both inside and outside your company. You may need to notify customers,
law enforcement, credit bureaus, and other businesses that may be affected by the breach. Many states and other bank regulatory
agencies have laws or guidelines addressing data breaches. Consult your attorney. See http://business.ftc.gov/documents/bus66-
businesses-must-provide-victims-and-law-enforcement-transaction-records-relating-identity for the Fair Credit Reporting Act
guidance on this matter.
Federal Trade Commission cont.
COMING NEXT MONTHPART II – INFORMATION COMPROMISE AND THE RISK OF IDENTITY THEFT
Detailed guidance, links, telephone numbers, and a sample notification letter to customers whose personal data has been subjected to possible compromise.