PRIVACY, SECURITY & ID THEFT PREVENTION

- TIPS FOR THE VIGILANT BUSINESS -

SMALL BUSINESS &

ECONOMIC DEVELOPMENT FORUM

October 21, 2014

-WITH THANKS TO THE W. KY. BBB-

CONSIDER A FIVE STEP PLAN

• 1. Take stock• 2. Scale down • 3. Lock it• 4. Pitch it • 5. Plan ahead

1. TAKE STOCK

• Know what personal information you

have in your files and on your computers.

TAKING STOCK

• Inventory all computers, laptops, flash drives, disks, home computers,

and other equipment to find out where your company stores sensitive data.

• Also inventory the information you have by type and location

TAKING STOCK

• Who sends sensitive personal information

to your business.

• How your business receives personal

information.

• What kind of information you collect.

• Where you keep the information you collect.

- Is it in a central computer database?

2. SCALE DOWN

• Scale down. Keep only what you need for your business.

SCALE DOWN

• If you don’t have a legitimate business need for sensitive personally identifying information:

Don’t keep it - Don’t even collect it.

• If you have a legitimate business need for the information: Keep it only as long as necessary

SCALE DOWN

• If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify:

– What information must be kept– How to secure it – How long to keep it– How to dispose of it securely when you no

longer require it.

3. LOCK IT

Protect the information that you keep.

Security Check• If you encrypt your customers’ financial data on

your web site, DO NOT then decrypt it and email it over the Internet to a branch office in regular text.

• Regular email is NOT a secure method for sending sensitive data.

• Encrypt any transmission that contains information to be shielded from fraudsters or ID thieves.

LOCK IT

Effective data security plans cover four key elements:

1. Physical security

2. Electronic security

3. Employee training

4. Security practices of 3rd parties

PHYSICAL SECURITY• Data compromise can still happen the old-fashioned

way: Lost or stolen paper documents.

• Often the best defense is a locked door or an alert employee.

• Store paper documents, flash drives, and backups containing personally identifiable information in a locked room/file cabinet.

• Limit access only to employees with a

legitimate business need.

GENERAL NETWORK SECURITY• You may not even have IT Staff, but your responsibility remains.• Assess potential vulnerabilities of your system/ database and

follow advice of legitimate experts.• Identify all connections to computers/servers maintaining

sensitive/personal information (e.g., Internet, computers at branch offices & wireless devices/smartphones/tablets.)

• Limit the number of users and wireless devices that can access your network.

• Cost-effective options for enhanced protection: Firewalls; Filters; Anti-Virus software; Anti-Spyware Junk Blockers

LAPTOP SECURITY• Restrict use of laptops to staff requiring

them to perform their jobs.

• Assess whether sensitive information needs to be stored on a laptop. If not, delete it with a “wiping” program that overwrites data on the laptop.

• Beware of the risks of WiFi.

EMPLOYEE TRAINING

• RISKS ARE ALL AROUND US: Malware – Scareware - Phishing - Social Networking - Viruses - Keystroke Counters [Don’t invite them in]

• A data security plan may cover all bases on paper, but it’s only as strong as the

employees who implement it.

• Continual employee training re: newly arising risks and vulnerabilities is key - Create a “culture of security”

PASSWORD MANAGEMENT

• Control access to sensitive information: Employ complex passwords through mixing letters, numbers, and characters.

• Require an employee’s user name and password to be different and mandate regular password updates.

• Passwords should NOT be shared

CONTRACTORS & THIRD PARTIES

• Your business’ security practices are affected by all those who implement them, including contractors and service providers.

• Before outsourcing any of your business functions, investigate the vendor’s data security practices and compare their standards to your own.

4. PITCH IT

• PITCH IT. Properly dispose of what you no longer need

WHAT IS “PROPER” DISPOSAL?• Reasonable and appropriate practices to prevent the

unauthorized access to – or use of – personally identifiable information.

• “Reasonable” = Based on data sensitivity, costs and benefits of disposal options & technology changes

• Shred/pulverize sensitive papers so they cannot be read or reconstructed

• Destroy/erase sensitive electronic files/media so they cannot be read or reconstructed

• Old computers/portable storage devices: Consider wipe utility programs - designed to overwrite the hard drive to prevent files from being recovered.

5. PLAN AHEAD

Create a plan for responding to security incidents.

PLAN AHEAD• Investigate security incidents immediately and take steps to

close off existing vulnerabilities or threats to personal information.

• Promptly assess the degree of Compromise.

• Consider whom to immediately notify in the event of an incident, both inside and outside your organization - e.g., customers, law enforcement, and other businesses that may be affected by the breach.

• States and federal regulatory agencies have laws and guidelines addressing data breaches and requirements with which you must comply.

PLAN AHEAD• No one-size-fits-all approach to data security - What’s right

for you depends on the nature of your business and type of information you collect.

• Some of the most effective basic security measures - personnel training, complex passwords, securing sensitive paperwork, etc. - are of negligible cost.

• Free or low-cost security tools at non-profit websites dedicated to data security.

• REMEMBER: It’s more cost-effective in the long run to invest in better data security than to lose the goodwill of customers, defend yourself in legal actions, and face other consequences of a data breach

THANK YOU!