used with permission from FTC.gov
by Thomas B. Pahl, Acting Director, FTC Bureau of Consumer Protection
High-profile hackers grab the headlines. But some data thieves prefer old school methods — rifling through file cabinets, pinching paperwork, and pilfering devices like smartphones and flash drives. As your business bolsters the security of your network, don’t let that take attention away from how you secure documents and devices.
FTC law enforcement actions, closed investigations, and experiences we’ve heard from businesses demonstrate the wisdom of adopting a 360° approach to protecting confidential data. As Start with Security suggests, securing paper, physical media, and devices is an important part of that strategy.
Securely Store Sensitive Files.
If your company has already committed to starting with security, you understand the importance of collecting sensitive information only if you have a legitimate business need and keeping it safe while it’s in your possession.
Example: A local gym maintains personnel files on its current employees. The files contain sensitive data — for example, tax documents with Social Security numbers and direct deposit authorizations with bank account information. The files are kept in the manager’s office, which is located in an “employees only” part of the facility. In addition, the manager keeps the files in a cabinet that is locked at all times. Whenever he is helping clients or away from his office for any other reason, he takes the additional precaution of locking his door — a lock that only he and his assistant manager can open. By implementing basic protections, the gym is taking steps toward maintaining the security of confidential information in its possession.
Example: A tax preparation firm has a legal obligation to retain clients’ records for a certain period of time. The firm keeps them in a central storage room open to all businesses that lease office space on that floor. By leaving those files in an unsecured location, the firm has created an unnecessary risk that clients’ sensitive information could be misappropriated.
Protect Devices That Process Personal Information.
It may look like “just a phone,” but in the wrong hands and with insecure configuration, it could be a skeleton key that gives a data thief unauthorized access to everything on your network. And what if a traveling employee leaves a flash drive with a database of customer account details in a hotel business center? Companies concerned about security take steps to protect devices that store and process confidential data.
Example: A data processing firm issues its employees smartphones so they can stay in touch when they’re on the go. The firm requires employees to lock phones with a passcode and encrypts the data on the device. Recognizing that people may occasionally misplace their phones, the firm enables device-finding services and uses an app to ensure that it can remotely wipe the device if it goes missing. The firm also trains employees on the procedures for promptly reporting a missing phone. By putting commonsense policies in place and training staff members on complying with them, the firm has taken a basic precaution to protect data accessible through those devices.
Keep Safety Standards in Place When Data Is En Route.
As Start with Security and an earlier post in the Stick with Security series suggest, prudent companies exercise care when transferring sensitive information. They also establish sensible standards and train their employees to take precautions when files or devices are out of the office.
Example: A company with five branch offices in one city assigns an employee to drive to each branch at the end of the day to collect purchase orders that include customers’ financial information. The company doesn’t provide security training to the employee. On one occasion, the employee stops to runs a personal errand, leaving the paperwork in a backpack in her car. She returns to find the passenger window smashed and the backpack stolen. By not training the employee on how to keep the documents safe during her daily rounds, the company has contributed to the risk that the financial information will be accessed by individuals outside the company.
Example: A regional office of a national consulting firm must send an external hard drive to headquarters. The regional office uses an encrypted drive and sends it via a delivery service that offers package tracking. Those two precautions reduce the risk of unauthorized access to the data.
Dispose of Sensitive Data Securely.
It may look like trash to you, but discarded paperwork, deleted electronic files, or obsolete equipment are treasure to a data thief. Just tossing documents in the bin or clicking DELETE is unlikely to deter infobandits. To prevent them from reconstructing discarded files, responsible companies take the prudent step of shredding, burning, or otherwise destroying documents and using tech tools that truly render electronic files unreadable.
Furthermore, if your business is covered by the Fair Credit Reporting Act, securely disposing of certain confidential data — credit reports and files containing information derived from those reports — doesn’t just make good business sense. Under the FCRA’s Disposal Rule, it’s the law.
Example: A small bookkeeping company places two receptacles in each employee’s office: a waste basket for trash and non-sensitive paperwork and a separate bin for documents that include confidential information. A staff member regularly gathers the confidential documents and shreds them. The company also keeps a shredder near the photocopier so employees can destroy misfeeds or extra copies of sensitive documents. Those simple steps can help reduce the risk of information ending up in unauthorized hands.
Example: An accounting firm decides to donate some old laptops to a charity and directs staff members to delete the files on the computers’ hard drives. However, just clicking DELETE doesn’t actually delete sensitive data. Even if a file name doesn’t show up on the list of available documents, it doesn’t take much for a data thief to retrieve it. The wiser practice is to securely wipe the hard drive clean using software specifically designed for that purpose.
To stick with security, prudent companies put sensible precautions in place to safeguard paperwork, flash drives, phones, CDs, and other media that may contain sensitive information.