There are many federal laws, like the Gramm-Leach Bliley Act, the FTC Act, and the Fair Credit Reporting Act, the pending senate bill 1490 as well as many local state laws which govern the protection of sensitive information gathered by businesses.  If you are in business, it is important to understand how government privacy regulation affects your business and what steps to take to protect the sensitive data that you collect as a part of your business.  

Failure to take adequate measures to protect the privacy of your data can lead to a breach which can be costly to your business and may even lead to a lawsuit.  The FTC gives the following guidelines for securing your data.

Take Stock of What Sensitive Information Your Business Collects

Businesses keep track of lots of kinds of data for legitimate purposes.  Home addresses, names, financial records, even social security numbers can be collected by businesses to help them perform vital business functions.  In order to protect this information you need to know who you keep records on, how that data is collected, and where it is stored. 

Your business might be collecting information about your customers, employees, or others. It may be collected at the point of sale in a store, through your web site, from credit card companies or other sources.  The data might be stored in file cabinets, on computers or removable storage devices,  in email in-boxes and many other places.

Scale Down What Information Your Business Keeps

In order to keep private data secure it is most important to collect and keep only information which is necessary for legitimate business purposes.  Keep it only as long as is necessary.  For example, there is probably no reason to keep credit card numbers after the transaction has been settled. 

Have a written business policy for how to maintain any sensitive data that does need to be stored, such as an employee's tax information.  Also, never use SSN for unnecessary purposes, such as for customer identification numbers.  In the past it was common to use SSNs as a customer or employee identifier but that is now creating the risk of theft and identity fraud and exposing businesses to potential liability.

Lock Down Sensitive Data

You should maintain proper security measures for the information your business does keep.  This includes physical security, electronic security, employee training and knowing the security practices of third party providers and servicers. Physical security includes proper locks on doors and filing cabinets and limiting access to the appropriate employees. 

Electronic security includes data encryption, password protection on networks and computers, proper information storage and disposal practices, many of which are outlined in the book How To Vanish.  Employees should also be trained in how to handle sensitive information and how to keep it from being compromised.  Also, be aware of how third parties, like payroll services or janitorial services, are taking measures to protect the data that they have access to.

Proper Information Disposal

Just throwing out papers or selling an old company laptop are not proper disposal practices. Using 100 tons of TNT might be overkill.

Proper disposal techniques include using a paper-shredder for documents, wiping your computer hard drive in order to fully delete a file and other practices found in How To Vanish.

Plan Ahead

If there are information security breaches, it is important to know ahead of time who you should call and what you should do.  You may want to look for an information technology expert to help you identify when a breach has occurred and what to do to patch it up. You will also want to know if there are any federal or local authorities, customers or others that  you need to contact in case of a breach.

Conclusion

Avoiding a breach of privacy before it happens is important for everyone.  If you are a business owner or manager, following these steps, outlined in more detail at the FTC website, can save you money and help you avoid a lawsuit by avoiding a breach of privacy and by being able to show compliance with the law. 

If you know a business owner or manager, feel free to email them or forward them this information so that they too can protect their customers and employees and devise a strategy for complying with the law. 

You can find a discussion of important laws which require disclosures by businesses, not just banks, and a general discussion of the circumstances that give rise to the need to disclose in this  bank privacy report.  Other important strategies and techniques to protect privacy can be found in the book How To Vanish.

DISCLAIMER

This article is intended to be a general discussion only, and must not be considered legal advice. Your use of it does not create an attorney-client relationship. Any liability that might arise from your use or reliance on this article, or any of its links, is expressly disclaimed. This blog is not legal, accounting or tax advice, and is not to be acted on as such.