Identity theft can have devastating financial and psychological consequences for individuals whose personal information is stolen. When thieves make purchases, empty bank accounts, or take out loans under other people’s names, it can take months, or even years, for victims to restore their credit records.
Less well known is the catastrophic effect identity theft can have on businesses that fail to adequately protect confidential data. “Losing” a customer’s data can result in litigation or fines, and it may damage a company’s reputation irreparably if a data breach is made public. Smaller companies, in particular, are at risk of being targeted by identity thieves as larger companies become more adept at warding off attacks by hackers and other thieves.
Here are some of the precautions you, as a business owner, can take to reduce the risk of sensitive customer data falling into the wrong hands:
- Minimize the amount and types of information collected. The theft of Social Security numbers can be particularly damaging to individuals, so companies should use other means of identifying customers whenever possible. Even less sensitive types of information, such as phone numbers and birth dates, can be attractive to thieves.
- Conduct all e-commerce transactions through authentication systems with several layers of security designed to verify that the user who accesses an account or provides information is the legitimate owner of that information.
- Restrict employee access to data. Employees should be authorized to view or handle data on a “need-to-know” basis. There are software programs available that allow you to monitor who is accessing data at any given point in time; store this information should an audit become necessary later. Access to the company’s databases should be withdrawn immediately when an employee leaves the company.
- Remind employees that phone conversations can be overheard and computer screens can be viewed by unauthorized individuals. Employees should take care when discussing confidential information and lock their computers when they are away from their desks.
- Shield your computer network with firewalls designed to create a protective barrier between your company’s network and the Internet. Available as either software or hardware, firewalls can stop potential hackers from gaining access to confidential information stored in your system.
- Use encryption when exchanging sensitive information with customers via a website or e-mail, and encrypt confidential customer data stored on servers and backup systems. Encryption software scrambles data during transit over the Internet, making it difficult for hackers to intercept and steal customers’ information.
- Install antivirus and anti-spyware software packages on all company computers. These programs should include automatic updates and should never be disabled. As an extra precaution, remind employees not to open email from unfamiliar addresses.
- Store information in the most secure location possible, and properly dispose of old records. If it is not necessary to keep customer information online, it is safer to store it offline in file cabinets under lock and key. Avoid storing confidential data on easily stolen disks or CD-ROMs. Hard copies of records containing sensitive information should be shredded when no longer needed.
- Protect hardware from tampering or theft. Thieves can tap into sensitive data stored on servers or the hard drives of computers and notebooks if they find or steal the equipment. Employees should not take notebooks containing sensitive customer information outside of the company unless it is necessary to do so. Businesses should run hard-drive shredding software before disposing of old computer equipment.
- Include as little personal information as possible in written correspondence to customers, as thieves can steal Social Security and account numbers by intercepting mail.
Should a data breach nonetheless occur, it is essential to take prompt action. The compromised accounts should be suspended immediately, and the systems containing the data should be shut down to prevent additional theft. Notify the police and the FBI of the breach, as well as any customers who might be affected. Your company’s security systems should be thoroughly analyzed to establish how the breach occurred, and steps should be taken to prevent future losses.