Steal This Data

Most businesses accumulate massive amounts of sensitive information, and like many of us at home, we never get around to throwing out the stuff we don’t need anymore. But times have changed. In an age of security breaches and identity thieves, holding on to sensitive business or customer information longer than necessary can significantly increase your information security risks.

The best way to protect your business is to systematically identify what information you collect from customers or partners on web registration forms, contracts, service orders, sales and customer services records in both digital and non digital form.  This process should be driven by the creation of a data classification scheme which identifies the sensitivity of this data, the security controls that should be used to manage it, and how long it should be retained.

Going through this process will give you the opportunity to define what data, if any, should be retained for the long term, and what data can be disposed. By keeping only what’s necessary and safely disposing of the rest, you can protect your customers and employees by securing sensitive data in your possession. One tip: Scale down — Keep only what you need for business.

• If you don’t have a valid business reason to collect personal information, don’t ask for it in the first place. Review the forms you use to gather data — like credit applications and fill-in-the-blank web screens for potential customers — and revise them to eliminate requests for information you don’t need.
• Unless you have a legitimate business justification, don’t hold onto customers’ credit card information, including account numbers and expiration dates. Keeping sensitive data longer than necessary creates an unwarranted risk for fraud.
• Sometimes the software used to read credit card numbers and process transactions is preset to store information permanently. Check your settings to make sure you’re not inadvertently keeping more than you need.
• If you must keep information for business reasons or to comply with the law, develop a written records and data retention policy to identify what must be kept, how to secure it, how long to keep it, who’s authorized to access it, and how to dispose of it securely when you no longer need it.

It’s a mistake to think that identity theft is an Internet-only problem. The fact is that there are plenty of ways of offline ways for criminals to steal your identity, social security number, credit card information, or other sensitive information. The two most common are:

1. People can steal mail out of your mail box.
2. People can steal un-shredded documents from your trash.

One way you can significantly reduce your offline risk is to reduce or eliminate the amount of junk mail your receive, especially those pre-approved credit card offers.

Doing this manually is a lot of work, but I’ve started using a service called Green Dimes, that let’s you specify exactly which credit card companies or catalogs you want to stop receiving postal mail from. They have a complete list of every company that sends junk mail and you simply check off the ones you want to eliminate.

It’s an incredible service. There’s a free version and a paid one that only requires a one-time $20 fee.

Since we started using it at my house, we’ve eliminated 95% of the credit card and financial service offers we used to receive in the mail. Plus we stopped getting a lot of catalogs we don’t want anymore, which has reduced the amount of paper we recycle significantly.

Before we got Green Dimes, I used to shred all of this mail, but I couldn’t keep up with it and these offers piled up all over the house. Now we don’t even get them. I can’t tell you what a relief that is, and I know that no one else is intercepting them either.