As Americans go throughout their day, filling up gas tanks, shopping online and visiting the grocery store, a trail of information is left behind – names, dates of birth, credit card numbers, addresses, online login names and passwords.
Many don’t give much thought about personally identifiable information (PII) that companies collect until national headlines grab their attention with startling news, such as the 110 million Target customers PII compromised and more recently, some of the largest hotel chains in the U.S. admitting a data breach affected customers across more than 14 states.
Consumers want to know that the information being collected is being actively safeguarded. The Federal Trade Commission (FTC) offers a guide for businesses on how to safeguard personal information and advises that a sound data security plan is built on five key principles.
1. Take stock: Know what personal information is in files and on computers.
According to the FTC, a solid plan begins with knowing what personal information is kept in company files and on employee computers. This includes all computers, laptops, mobile devices, flash drives, disks, home computers and digital copiers. It is also recommended that businesses stay on top of which employees have access to the information, how it is received and where the information is stored.
2. Scale down: Keep only the information necessary for business.
Once the information is identified, it’s time to scale down and only keep what is needed for business. If there is not a legitimate need for PII, there is no need to collect or store it. Once determined what data is absolutely critical for business operations, it’s important to only keep it for as long as the information is needed. There is no need to use PII, such as social security numbers for purposes such as employee or customer identification numbers.
3. Lock it: Protect the information.
It is also essential to lock and protect the information – this includes physical and electronic security measures. Physical items include paper documents and files, as well as CDs, zip drives and backups with PII; which should be locked up in a file cabinet, safe or room with limited access to employees with a legitimate need. Never leave a laptop or paper files such as rental applications unattended in your vehicle. To implement electronic security measures, it’s critical to keep computer virus detection software, anti-Spyware software, firewalls, routers, servers and additional systems up-to-date with appropriate patches and updates.
Removing or changing default passwords can also help avoid unnecessary risks. The longer and more complex passwords are, the better. According to the FTC, it is best to avoid passwords with common dictionary words and instead use a combination of upper-case and lower-case letters, numbers and special characters.
4. Pitch it: Properly dispose of information no longer needed.
When it comes time to properly dispose of what is no longer needed, it is important that the information cannot be read or reconstructed. Paper records should be shredded, burned or pulverized before discarding. As for computers and portable storage devices; according to the FTC, it’s imperative that all utility programs are wiped to make sure files are no longer recoverable.
5. Plan ahead: Create and be ready to implement a response to security breaches.
Lastly, it’s critical to create a written plan of response in the event of a security breach approved and familiar to the staff. A timely response and investigation of the incident is also important and employees should know who to contact both internally and externally in the event of a data breach. According to the FTC, this may include consumers, law enforcement, customers, credit bureaus and other business that may be affected.
In addition to these tips for protecting PII, companies such as Visa®, MasterCard® and American Express® are governed by Payment Card Industry Data Security Standards (PCI DSS). They are required to maintain compliance with 12 standards, with the six overall control objectives of building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks and maintaining an Information Security policy. While similar to the tips recommended by the FTC, these regulations are much more in-depth, with mandatory compliance.
Recent data breach events with Target stores and U.S. hotel chains serve as an important reminder of how important compliance is. While currently companies such as Visa and MasterCard require both merchants and service providers to maintain PCI DSS compliance, when it comes to protecting PII, going the extra mile to safeguard data, never hurts.
Experian® for example, takes proactive measures to safeguard PII and holds clients and partners to the same standard by adopting a similar PCI DSS process and requiring an Experian Independent Third Party Assessment (EI3PA) certification. The certification is required for all companies who process, store or transmit credit information provided by Experian.
As a nationwide tenant screening expert for the multifamily housing industry, CIC maintains a Level 1 EI3PA certification on an annual basis to ensure consumer PII remains safeguarded. Additionally, CIC upholds to the Fair Credit Reporting Act (FCRA), Consumer Financial Protection Bureau (CFPB) and FTC regulations. Protecting the privacy and information of consumers while delivering the most comprehensive tenant screening, remains CIC’s highest priority. CIC subscribers are notified in writing of FCRA regulations and Access Security Requirements, and must consent to uphold the requirements.
As more and more data breaches continue to gain national attention, it’s critical that businesses remain committed to protecting consumer PII and on the leading edge to implement security measures to prevent a breach.