Ways to Guard Against Data Theft
A thief takes a laptop belonging to Fidelity Investments that contains the Social Security numbers and birth dates of nearly 200,000 Hewlett-Packard Co. retirees. An auditor loses a computer disk that holds sensitive information on employees from -- of all places -- security software maker McAfee Inc.
Behind the headlines about these large corporations is a sobering question for smaller businesses: Are you -- and by extension your customers -- protected against similar data losses?
Security experts say small companies are potentially more vulnerable to breaches. Most don’t have the luxury of putting an employee in charge of privacy, and they generally have less access to the sophisticated legal advice larger companies can afford.
Moreover, many small-business owners are too busy -- or unaware of the need -- to set up routine security practices. About 60% of small businesses don’t encrypt their wireless networks, according to a recent study.
“There is not a business in the U.S. that would leave a box of cash on the counter,” said Lydia Parnes, director of the Bureau of Consumer Protection at the Federal Trade Commission in Washington.
“Information is the new currency. So just as a business needs to safeguard their cash, they need to safeguard their customers’ information.”
That applies, for example, to the self-employed physical therapist who keeps clients’ medical records on her home computer, the salesperson on a cellphone discussing an account’s billing history, even the company with a jumble of old computers in an unlocked storage closet.
Small-business owners can take steps, online and offline, to protect sensitive personal and financial information. Clear policies, effective employee training and consistent implementation, along with secure computer software and hardware, are the building blocks of data security, experts say.
To assist small businesses, the Council of Better Business Bureaus has issued a guide to protecting customer data, “Security and Privacy -- Made Simpler.” The online guide, along with a downloadable Web seminar and continuing updates, is available free at www.bbb.org/securityandprivacy.
This fall, the group, which compiled the information with help from Privacy and American Business, a service of nonprofit think tank the Center for Social and Legal Research, will release a guide on how to protect employee data.
It’s an important issue for all businesses, which have responsibilities under a growing body of state and federal privacy law. In California alone, 70 privacy and identity theft laws have been passed since 1999, said Joanne McNabb, chief of the California Office of Privacy Protection, a division of the state’s Department of Consumer Affairs.
(The department has its own guide to practices for businesses at www.privacy.ca.gov.)
“Your customers care about it and your employees care about it, and therefore you will necessarily care about it,” said Steve Cole, president and chief executive of the better-business council. “But it’s manageable.”
Two principles to keep in mind: Don’t collect personal information from a customer unless it is absolutely necessary. And don’t hold on to such information any longer than it is needed.
To start, security experts say, find the weak spots in data security at your company, listing all the ways you collect customers’ personal information, where it is stored and who has access to it. In addition to Social Security numbers, this information can include transaction patterns and account records.
Some companies may decide to bring in an information technology consultant or lawyer to find and address potential data security risks.
With or without outside help, a company needs to create a written security and privacy policy. There are online resources to assist with this step, including BBBOnLine (www.privacyplanner.com) and the Direct Marketing Assn.’s site (www.the-dma.org/privacy/privacypolicygenerator.shtml).
Once policies are in place, experts say, companies must train employees regularly to follow the rules and to use computer security tools such as effective passwords, data encryption and security software.
The sensitive data on the stolen Fidelity laptop, for example, was encrypted.
Security software also can help protect against the relatively new phenomenon of key-logging (the use of malicious software that captures computer keystrokes, including passwords), spyware and Trojan-horse viruses, said Peter Schmalzle, owner of SmallSystems Inc.
Schmalzle, whose San Diego information technology firm specializes in small businesses, uses four antivirus and antispyware programs to seek out and destroy malicious software on a company’s computers.
“It’s a tedious process, but it’s worth it because then you know the machine is clean,” he said. He recommends that his clients then run a basic security program once a week.
Schmalzle also discourages small businesses from hosting company e-mail on site, a practice that is vulnerable to hackers, he said. He recommends outsourcing that function.
Computers are not the only targets for data theft. Some fax machines and copy machines are equipped with hard drives that may contain sensitive company information. When disposing of old machines, companies are advised to use commercial software to permanently erase data on these devices. Information that has only been deleted could be restored and misused.
Other simple, low-tech steps include locking company mailboxes, file cabinets, office doors and computer storerooms and shredding discarded documents.
If there is a loss or theft of customer data, a company doing business in California is required to notify the customers involved. Most breaches are not required to be reported to a government agency.
It makes sense to protect your business and customer data from loss or theft, to ensure that you comply with federal and state laws and to earn the trust of your customers by having sound privacy practices.
“There is no silver bullet,” said the FTC’s Parnes, “but no business can avoid this issue.”
Cyndia Zwahlen can be reached at cyndia.zwahlen@ latimes.com.
*
(BEGIN TEXT OF INFOBOX)
Web resources
Some online information on data security:
* Breaches: An eye-opening chronology of data breaches compiled by Privacy Rights Clearinghouse is at www.privacyrights.org.
* Privacy laws: Links to California and federal privacy and identity theft laws can be found on the California Office of Privacy Protection website at www.privacy.ca.gov/lawenforcement/laws.htm.
* Pending legislation: To track pending federal privacy laws, go to www.epic.org/privacy/bill_track.html.
* Federal Trade Commission: Business security information is available at www.ftc.gov/bcp/conline/edcams/infosecurity/businfo.html.
