Scale Down: Why Less is More When Securing Sensitive Information [En espaƱol]

By Lesley Fair

If you’re like many busy executives, your file cabinets, desk drawers, computer, and cell phone have become a corporate archive brimming with business information. When it comes to having sensitive data at your fingertips, it used to be that more was considered better. But the climate has changed. In an age of security breaches and identity thieves, the professional pack rat should be a thing of the past.

Today’s savvy professionals have learned to travel light, keeping only what’s necessary and safely disposing of the rest. The Federal Trade Commission has advice on how you can protect your customers and employees by securing sensitive data in your possession. One tip: Scale down — Keep only what you need for business.

  • Cool, calm, and uncollected. If you don’t have a valid business reason to collect personal information, don’t ask for it in the first place. Review the forms you use to gather data — like credit applications and fill-in-the-blank web screens for potential customers — and revise them to eliminate requests for information you don’t need.
  • Don’t fidget with the digits. Unless you have a legitimate business justification, don’t hold onto customers’ credit card information, including account numbers and expiration dates. Keeping sensitive data longer than necessary creates an unwarranted risk for fraud.
  • Stay socially secure. Make it a company policy to use Social Security numbers only for required lawful purposes — like reporting payroll taxes. Don’t use them unnecessarily as employee identification numbers or customer locators.
  • Is your default at fault? Sometimes the software used to read credit card numbers and process transactions is preset to store information permanently. Check your settings to make sure you’re not inadvertently keeping more than you need.
  • Too much information? Make sure your receipts are complying with a law that’s been effective for all businesses since December 1, 2006. According to the Fair and Accurate Credit Transaction Act, any electronically printed credit and debit card receipts you give your customers must truncate the account information. You may include no more than the last five digits of the card number, and you must delete the card’s expiration date. Read the FTC’s new Business Alert, Slip Showing? Federal Law Requires All Businesses to Truncate Credit Card Information on Receipts, to learn more.
  • Pay attention to retention. If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify what must be kept, how to secure it, how long to keep it, who’s authorized to access it, and how to dispose of it securely when you no longer need it.

Looking for more tips on securing sensitive data? Read Protecting Personal Information: A Guide for Business at business.ftc.gov.

Lesley Fair is an attorney in the FTC’s Bureau of Consumer Protection who specializes in business compliance.

 

July 2007