Steal This Data

Most businesses accumulate massive amounts of sensitive information, and like many of us at home, we never get around to throwing out the stuff we don’t need anymore. But times have changed. In an age of security breaches and identity thieves, holding on to sensitive business or customer information longer than necessary can significantly increase your information security risks.

The best way to protect your business is to systematically identify what information you collect from customers or partners on web registration forms, contracts, service orders, sales and customer services records in both digital and non digital form.  This process should be driven by the creation of a data classification scheme which identifies the sensitivity of this data, the security controls that should be used to manage it, and how long it should be retained.

Going through this process will give you the opportunity to define what data, if any, should be retained for the long term, and what data can be disposed. By keeping only what’s necessary and safely disposing of the rest, you can protect your customers and employees by securing sensitive data in your possession. One tip: Scale down — Keep only what you need for business.

• If you don’t have a valid business reason to collect personal information, don’t ask for it in the first place. Review the forms you use to gather data — like credit applications and fill-in-the-blank web screens for potential customers — and revise them to eliminate requests for information you don’t need.
• Unless you have a legitimate business justification, don’t hold onto customers’ credit card information, including account numbers and expiration dates. Keeping sensitive data longer than necessary creates an unwarranted risk for fraud.
• Sometimes the software used to read credit card numbers and process transactions is preset to store information permanently. Check your settings to make sure you’re not inadvertently keeping more than you need.
• If you must keep information for business reasons or to comply with the law, develop a written records and data retention policy to identify what must be kept, how to secure it, how long to keep it, who’s authorized to access it, and how to dispose of it securely when you no longer need it.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Tags: credit card security, data retention policy, Identity Theft, personally identifiable information, security breach, sensitive information

This entry was posted on Tuesday, November 18th, 2008 at 9:07 am and is filed under Information Security Policy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.