Preventing Fraud and Identity Theft - Part Two
A sound data security plan to prevent fraud and identity theft is built on 5 key guidelines. Last month, we started this series with the first guideline and steps to analyze what types of information you recieve and where you store that information. This month, we present the next guideline you need for ensuring the security of your client's and employee's information. Smith Office Solutions wants you and your customers to be protected from these costly issues.
Guideline two: Keeping only the information you need to run your business.
If there isn't a legitimate business need for sensitive or personally identifying information, don't keep it; even better, don't even collect it. If you do have a legitimate business need for the information, keep it only as long as it is actually necessary.
Social Security numbers:
Don't use Social Security numbers just because you've always done it or as an employee or customer identification number. Only use Social Security numbers for required and lawful purposes, such as reporting employee taxes or for filing a Form 1099.
Credit card numbers:
The law requires shortened or truncated credit and debit card receipts that you give your customers. No more than the last five digits of the card number can be printed, and you must remove the expiration date. Don't keep customer credit card account numbers and expiration dates unless you have a legitimate business need to do so. Keeping this information, or keeping it longer than you need it, increases the risk that the information could be used fraudulently or to commit identity theft. It is a good idea to check the settings on the software you use to process credit card transactions. The default settings may be preset to keep information permanently. If necessary, change your default settings to make sure that you are not keeping information you don't need.
If you must keep sensitive or personally identifying information for business reasons, or in order to comply with the law, you should develop a written policy to identify the following:
- What information does your company must keep?
- How does your company secure the information kept?
- How long do you keep the information?
- How does your company securely dispose of the information it is no longer needed?
Next issue we will present:
Guideline three: Protect the information that you keep.