Federal Trade CommissionPart I – Your Responsibilities Under the Law

A r t i c l e c o n t r i b u t e d b y B i l l C a f f e r t y ,

R e t a i l L o s s P r e v e n t i o n C o n s u l t a n t

August 2012LP CornerA monthly publication brought to you by the Retail Loss Prevention department. Providing

Ace Hardware retailers with professional, cost-effective loss prevention services since 1994.

This is the first in a series of four LP Corner articles that address federal statutory requirements with

which Ace retailers are required to comply. The purpose is to inform, educate, and provide “best practice”

guidance for compliance.

The Federal Trade Commission (FTC) is the federal regulatory agency that enforces antitrust and

trade practices laws. Among its many responsibilities and powers, it implements trade regulation rules

to define specific acts or practices that are unfair or deceptive and establishes requirements designed

to prevent such acts and practices. This article highlights some of the more significant rules, how they

impact the Ace retailer, and suggestions on how to stay in compliance. The source of the vast majority

of information presented in this article is the FTC website – www.ftc.gov.

PROTECTING PERSONAL INFORMATION

Most companies keep sensitive personal information in their files – names, Social Security numbers,

credit card or other account data – that identifies customers and associates. This information is

necessary to fill orders, meet payroll, and perform other business functions. However, if sensitive data

falls into the wrong hands, it can lead to fraud, identity theft, or similar harms.

A sound data security plan is built on 5 key principles.

1. Take stock – Know what personal information you have in your files and on your computers.

• Identify all computers, laptops, flash drives, disks, paper documents and files in your store that

contain personal data of customers and associates.

• Get a complete picture of who sends personal information to your business; how your business

receives personal information; what kind of personal information is received; what kind of

information do you collect from customers and associates; where you keep that information;

and who has – or could have – access to that information. Different types of information present

varying risks. Pay particular attention to how you keep customers’ and associates’ personal

information: Social Security numbers, credit card or financial information, and other sensitive

data. That’s what thieves use most often to commit fraud or identity theft.

• Contact your POS provider and confirm that your POS system is configured so that you are in

compliance with the Payment Card Industry (PCI) Data Security Standards (DSS).

2. Scale down – Keep only what you need for your business.

• Use Social Security numbers only for required and lawful purposes. Don’t use them unnecessarily

– for example, don’t use them for associate identification (even just the last four digits).

• The law (PCI Data Security Standards) requires you to shorten – or truncate – electronically

printed credit and debit card receipts you give to your customers. You may include no more

than the last five digits of the card numbers, and you must delete the expiration date. See

http://business.ftc.gov/documents/alt007-slip-showing-federal-law-requires-all-businesses-

truncate-credit-card-information-receipts for details.

• Do not keep customer credit card information unless you have a valid business need for it. If you

must retain it, it must be given adequate protection. You should also develop a written records

retention policy to identify what information must be kept, how to secure it, how long to keep it,

and how to dispose of it securely when you no longer need it.

• Contact your POS provider to verify that card numbers stored on your system are encrypted and

that they manage the encryption keys in accordance with PCI DSS.

NOTE: You may view and download a complete copy of the PCI DSS directive at

https://www.pcisecuritystandards.org/documents/pci_glossary_v20.pdf. The Ace Hardware contact for

PCI related questions is pcidss@acehardware.com.

31_117952_0712

Mark your Chicago Convention

Calendars for FREE Retail Loss

Prevention Training!

Shoplifting PreventionThursday, August 16 1 to 2:30 p.m. Gain the knowledge you need to teach your associates to work as a team to identify and prevent shoplifting.

Associate TheftPreventionThursday, August 16 3:30 to 5 p.m. Associate dishonesty is the leading cause of store shrinkage. Learn how to identify associate dishonesty, approach the situation, and complete the interview/restitution/termination/prosecution process.

Epicor POS SecurityFriday, August 17 2:30 to 4:30 p.m. The number one place that associates take advantage of a store is at the point of sale. This session will walk store owners through ways to protect against POS theft.

CONTACT US:Phone: (630) 972-2670 www.acelossprevention.com

Remember ... SALES + LOSS PREVENTION = GOOD BUSINESS

Remember ... SALES + LOSS PREVENTION = GOOD BUSINESS

3. Lock it – Protect the information that you keep. Many data compromises happen the old-fashioned way – through lost or stolen

paper documents. Often, the best defense is a locked door or an alert associate.

Physical Security

• Store paper documents or files, as well as CDs, DVDs, floppy disks, thumb drives, zip drives, tapes, and any other backup media

containing personally identifiable information in a locked room or in a locked file cabinet. Limit access to associates with a

legitimate business need. Control who has keys, and the number of keys.

• Require associates to put files away, log off their computers, and lock their file cabinets and office doors at the end of the day, as

well as when absent for breaks during the day.

• If you maintain off-site storage facilities, limit associate access to those with a legitimate business need. Know if and when someone

accesses the storage site.

Electronic Security

• Identify the computers or servers where sensitive personal information is stored.

• Don’t store sensitive consumer data on any computer with an Internet connection unless it’s essential for conducting

your business.

• Assess the vulnerability of each connection (POS terminals, wireless devices, etc.) to your computers and servers. Depending on

your circumstances, appropriate assessments may range from having a knowledgeable associate run off-the-shelf security software

to having an independent professional conduct a full-scale security audit.

• Regularly run up-to-date anti-virus and anti-spyware programs on individual computers and on servers on your network.

• Control access to sensitive information by requiring that associates use strong passwords. Require an associate’s user name and

password to be different, and require frequent changes in passwords.

• Require every associate whose duties give them access to personal information of others to sign an agreement to follow your

company’s confidentiality and security standards for handling sensitive data. Make sure they understand that abiding by your

company’s data security plan is an essential part of their duties.

• Require associates to notify you immediately if they become aware of, or suspect, a breach of security.

• Consider asking those associates whose duties give them access to personal information of others to take the FTC’s plain-language,

interactive tutorial at http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html.

4. Pitch it – Properly dispose of what you no longer need.

• Implement formal information disposal practices that are reasonable and appropriate to prevent unauthorized access to – or use

of – personally identifying information.

• Effectively dispose of paper records by shredding, burning, or pulverizing them before discarding. Make shredders available,

including next to the photocopier.

• When disposing of old computer and portable storage devices, use disk wipe and/or file shredding programs to ensure that all

sensitive data files have been destroyed.

• If you use consumer credit reports, you may be subject to the FTC’s Disposal Rule. For more information, see

http://business.ftc.gov/documents/alt152-disposing-consumer-report-information-new-rule-tells-how.

5. Plan ahead – Create a plan to respond to security incidents. Taking steps to protect data in your possession can go a long way toward

preventing a security breach.

• If a computer is compromised, disconnect it immediately from the Internet.

• Investigate security incidents immediately and take steps to close off existing vulnerabilities or threats to personal information.

• Consider whom to notify in the event of an incident, both inside and outside your company. You may need to notify customers,

law enforcement, credit bureaus, and other businesses that may be affected by the breach. Many states and other bank regulatory

agencies have laws or guidelines addressing data breaches. Consult your attorney. See http://business.ftc.gov/documents/bus66-

businesses-must-provide-victims-and-law-enforcement-transaction-records-relating-identity for the Fair Credit Reporting Act

guidance on this matter.

Federal Trade Commission cont.

COMING NEXT MONTHPART II – INFORMATION COMPROMISE AND THE RISK OF IDENTITY THEFT

Detailed guidance, links, telephone numbers, and a sample notification letter to customers whose personal data has been subjected to possible compromise.