Privacy is a hot topic, and alarming revelations about identity theft and data breaches seem to happen daily. As organizations work to keep Personal Data and Personally Identifiable Information (PII) safe and secure, it becomes more and more apparent that everyone has a role to play in protecting data privacy.
The important thing to remember is PII is defined as social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number. With the new privacy laws being enacted the addition of Personal Information such as information that identifies a particular consumer or household now must be considered. One-to-one identifiers (e.g., license numbers, fingerprints, and insurance policy numbers) can be tied to individuals, but one-to-many identifiers — data points like first names, job titles, city of residence, and last names — can be combined to achieve the same end.
So, seemingly small pieces of data can have a large value. Your company should have policies and regulations to follow. If you come into contact with, collect, or store information for coworkers or customers, here are four guidelines that can help keep that information safe:
Appropriate security safeguards for Privacy
Some information is more sensitive than others. A list of customer names and email addresses doesn’t need the same security protections as a list of customer names and credit card numbers. You would naturally want to keep the latter list very secure and only share that information on an as-needed basis. But that doesn’t mean the list of names and email addresses should be shared freely with anyone and everyone. It’s still sensitive information.
To gauge the level of sensitivity associated with information, think about the ramifications in the event of a breach. The more sensitive the data, the more intense the protections should be.
Only collect what you truly need
There are several reasons an organization might collect data from its customers: to perform services, for mailing lists (email or snail mail), billing, shipping, etc. Sometimes, as in the case of medical offices, collecting information is simply the starting point of a service relationship.
But it’s important to think about the information you truly need to have and limit collection to business-critical items. Think about the information you need before you ask for it. Likewise, when others are collecting personal data from you make sure you are comfortable giving the information out. If you are not comfortable providing the data, then don’t.
Be smart about storing data
Similar to the cautions associated with collecting sensitive information, special considerations should be taken when storing sensitive information. The more sensitive information there is on an organization’s network, the more vulnerable that organization is in the event of a breach. So before you store it, consider if it’s business-critical. If not, securely dispose of it. If it is, apply the appropriate safeguards (including physical security measures for paper files and encryption and secure server storage for electronic files). In addition, be sure to revisit stored data and purge any that is out of date or no longer business-critical, following your company’s record retention policies.
Apply general security best practices to Privacy
Keep common-sense best practices in mind when dealing with private data because they add an important layer of security. Passwords protecting secure systems is a must, the use of encryption should always be considered, and keeping your passwords secure is paramount. Do not let unauthorized individuals access secure areas or systems, and don’t be too quick to disclose personal data about you, your family, your coworkers, or your customers over the phone or on social media.
At the end of the day, it’s about recognizing sensitive data and keeping security and privacy top of mind as you use, collect, and store personal data.