You are here:
< Back

ITRC Fact Sheet 135


The following is a guide for the small to mid-size business (SMB) community to assist in planning, addressing, and dealing with issues that may expose the business to data breaches and/or identity theft. In order to conduct business, most companies must keep sensitive personal information in their files. Personally Identifying Information (PII) includes items such as names, Social Security Numbers, credit card information, or other financial account data that identifies customers or employees.

This information often is necessary to fill orders, meet payroll, or conduct other necessary business functions. However, if sensitive data is exposed to the wrong parties, it can lead to fraud, identity theft, or other serious consequences. Given the cost of a security breach, safeguarding personal information is just smart business. In addition to the direct costs, you also risk losing your customers’ trust and perhaps even defending yourself from legal action.

Some businesses may have the expertise necessary to design and implement an appropriate plan in-house. Others may find it helpful to seek a knowledgeable expert. The information in this guide is designed to assist you in identifying the risks to your business. When considering your “Best Practices” strategy, you will need to evaluate what information is required for your business to function, why this information is necessary, and what would be the consequences of exposure of this information. In other words, what is the “Risk Versus Reward Ratio” of collecting and keeping each class of PII?

Note: some reasons for collecting personal information may include:

  • Tax requirements
  • Insurance
  • Contractual agreements

Any additional information that your business collects should be carefully assessed for the risk versus reward benefit.

The key to a strong best practices policy is a six point approach to data and data security.

  • Step one is the assessment of what data you need, what data is required, and what data may be beneficial but ultimately unnecessary. Collecting and keeping only that data necessary for your business is always a best practice.
  • Step two is to identify, create and control the flow of data from the point of collection throughout the entire business operation. This includes when the data may be on the move whether it is moving in or outside of your business.
  • Step three is to determine who within the business needs access to the data to do their job. Controlling the access to data and restricting it to just those that must use the data is very important. You should not assume that those who currently have access to a class of data still need on-going access to that data.
  • Step four is to secure the data. Data storage is a key issue because how you store it may also determine what your legal obligations may be in the case of a data breach. Both digital data and paper files must be considered in this context.
  • Step five is to implement the use of proper data disposal procedures. Proper storage of PII will mean very little if the data becomes exposed when the intention is to dispose of the data. It will not do your business any good to keep data secure if it ends up in the dumpster behind your building, or a used computer is sent to recycling with data files on the hard drive. Properly dispose of what you no longer need.
  • Step six is to plan for what happens when something goes wrong or fails, and a data exposure occurs. There is no fool-proof system for securing all your PII data all the time. There is no way to protect against a truly determined thief, so your best efforts need to be directed towards reducing your risks where and whenever possible, and having a pre-existing plan if data exposure should occur.

It is most important that SMB executive staffs plan ahead. Create a plan to respond to security incidents. Look closely at what your business does, and how you do it. You must assess the information you have, identify those with access to it, and create effective policies regarding information safety. That being said, let’s look at some of the factors that affect data security:

Physical Security

Many data compromises happen when paper documents are lost or stolen. Of particular note is the frequency of exposure of PII through the disposal of paper documents without proper shredding. Appropriate storage is also a concern.

  • Store paper documents or files, as well as CDs, floppy disks, zip drives, tapes, and backups containing PII in a locked room or in a locked file cabinet.
  • Limit access to these documents to employees with a legitimate business need.
  • Control who has access keys and the number of keys issued.
  • Require that files containing personally identifiable information only be taken out of secure storage when being used. Documents and data should be kept in locked file cabinets except when an employee is working on the file.
  • Remind employees not to leave sensitive papers out on their desks when they are away from their workstations.
  • At the end of the day, require employees to secure files, log off their computers, and lock their file cabinets and office doors.

Minimize your risk by implementing appropriate access controls for your building. Instruct employees how to report any incident if they see an unfamiliar person on the premises. If you ship sensitive information using outside carriers or contractors, encrypt the information and keep an inventory log of the information being shipped. Also use a shipping service that will allow you to track the delivery of your information.

Electronic Security

Computer security isn’t just the realm of your IT staff. Make it your business to understand the vulnerabilities of your computer systems, and follow the advice of experts in the field. It is necessary that executive(s) and/or officers of the company continuously update their knowledge of security exploits, and become even more aware of the human factor in most data exposures. The best security practices will fail if employees do not follow the protocols, or are dishonest.

General Network Security

Identify the computers or servers where sensitive personal information is stored. It is good practice to minimize the number of machines that store PII. Physical security of sensitive computers, as well as network security is easier when the number of machines is smaller.

Identify all connections to the computers where you store sensitive information. You may be surprised at the number and types of connections that could be used to copy PII or transfer it outside your security zone. Connections might include the Internet, electronic cash registers, branch office connections, computers used by service providers to support your network, wireless devices (inventory scanners), blue tooth devices, USB devices, CD/DVD burners, and cell phones or PDAs. Each of these types of connections can offer both accidental and intentional exposure of sensitive data.

It is desirable to store PII on servers that are not also used as an Internet web server. There have been a significant number of data breaches in the past year due to incorrect web server permissions. If the PII is stored on a file server (not a web page server), then a host of possible problems are eliminated.

Encrypt sensitive information that you send to third parties over public networks (like the Internet), and consider encrypting sensitive information that is stored on your computer network or on disks or portable storage devices used by your employees. Consider also encrypting email transmissions within your business if they contain personally identifying information. Many state laws do not consider an incident to be a breach IF the data was encrypted at the time of exposure.

Regularly run anti-virus and anti-spyware scans on individual computers and servers on your network. It is vital to see that these programs are updated with the most recent definition files, and that Windows updates are enabled.

Check expert websites and your software vendors’ websites regularly for alerts about new vulnerabilities, and implement policies for installing vendor-approved patches to correct problems. Scan computers on your network to identify and profile the operating system and any open network services. If you find services enabled that are not in use, disable them to prevent hacks or other potential security problems.

Password Management

Control access to sensitive information by requiring that employees use “strong” passwords. Explain to employees why it is against company policy to share their passwords or post them near their workstations. See that password-activated screen savers lock employee computers after a short period of inactivity. Server policies should lock out users who don’t enter the correct password within a designated number of log-on attempts, although the policy can allow the employee to try again after a designated period of time. This policy has a major effect in stopping automated password cracking attempts.

When installing new software, immediately change vendor-supplied default passwords to a secure strong password. Caution employees against transmitting sensitive personally identifying data such as Social Security numbers, passwords, and account information via email. Unencrypted email is not a secure way to transmit any information.

Laptop Security

Assess whether sensitive information really needs to be stored on a laptop. If not, delete it with a “data wiping” program that overwrites data on the laptop. Deleting files using standard keyboard commands isn’t sufficient because data may remain on the laptop’s hard drive. Data wiping programs are available at most office supply stores.

Restrict the use of laptops to only those employees who need them to perform their jobs. Even when laptops are in use, consider using cords and locks to secure laptops to employees’ desks. Also, if a laptop contains sensitive data, encrypt it and configure it so users can’t download any software or change the security settings without approval from your IT specialists.

Additionally, train employees to be mindful of security when they’re on the road. Require employees to always store laptops in a secure place. They should never leave a laptop visible in a car, at a hotel luggage stand, or packed in checked luggage unless directed to by airport security. If it is ever necessary to leave a laptop in a car, it should be locked in a trunk. (For more on travel security measures reference ITRC Fact Sheet FS 134 – Business on the Move).


A firewall is software or hardware designed to block hackers from accessing your computer. It is preferable that you also use a router with a hardware firewall. This is a strong protective measure. Make sure you always have at least one firewall in operation. Remember to keep all firewall software updated. (For additional information on firewalls, please see ITRC Fact Sheet FS 119 – Direct Connections to the Internet).

Wireless and Remote Access

Determine if you use wireless devices like inventory scanners or cell phones to connect to your computer network or to transmit sensitive information. If you do, consider limiting who has the ability to remotely access the computer network. You can also make it harder for an intruder to access the network by limiting the number of wireless devices that can connect to your network. Encrypting transmissions from wireless devices to your computer network may prevent an intruder from gaining access through a process called “spoofing”—impersonating one of your computers to get access to your network. Consider using encryption if you allow remote access to your computer network by employees or by service providers, such as companies that troubleshoot and update software you use to process credit card purchases.

Detecting Breaches

To detect network breaches when they occur, consider using an intrusion detection system. To be effective, it must be updated frequently to address new types of hacking. Maintain central log files of security-related information to monitor activity on your network so that you can spot and respond to attacks. If there is an attack on your network, the log will provide information that can identify the computers that have been compromised.

Employee Training

A well-trained workforce is the best defense against identity theft and data breaches. Check references or do background checks before hiring employees who will have access to sensitive data.

Ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data. Employees should understand that abiding by your company’s data security plan is an essential part of their duties. Regularly remind employees of your company’s policy—and any legal requirement—to keep customer information secure and confidential.

Know which employees have access to consumers’ sensitive personally identifying information. Pay particular attention to data like Social Security numbers and account numbers. Limit access to personal information to employees with a “need to know.”

Train employees on how to recognize security threats. Tell them how to report suspicious activity and publicly reward employees who alert you to vulnerabilities. Require employees to notify you immediately if there is a potential security breach, such as a lost or stolen laptop. Impose disciplinary measures for security policy violations.

Have a procedure in place for making sure that workers who leave your employ, or transfer to another part of the company, no longer have access to sensitive information. Terminate their passwords, and collect keys and identification cards as part of the check-out routine.

Security Practices of Contractors and Service Providers

Your company’s security practices depend on the people who implement them, including contractors and service providers. Before you outsource any of your business functions— payroll, web hosting, customer call center operations, data processing, or the like—investigate the company’s data security practices and compare their standards to yours. Address security issues for the type of data your service providers handle in your contract with them. Insist that your service providers notify you of any security incidents they experience, even if the incidents may not have led to an actual compromise of your data.

Document Disposal

Leaving credit card receipts or papers or CDs with personally identifying information in a dumpster facilitates fraud and exposes consumers to the risk of identity theft. By properly disposing of sensitive information, you ensure that it cannot be read or reconstructed. Implement information disposal practices that are reasonable and appropriate to prevent unauthorized access to—or use of—personally identifying information. Reasonable measures for your operation are based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology. Effectively dispose of paper records by shredding, burning, or pulverizing them before discarding. Make shredders available throughout the workplace.

Rules for the Company

There should be a person in your company or organization that audits information and tracks who has access to PII files or records. This person should be the first person notified in the event information is misplaced or lost. This way, a response team can be alerted to follow a pre-established protocol regarding information containment as well as implement the steps which need to be taken at that time by the company or agency.

Point of Contact for Data Breaches

There should be a person in your company or organization that audits information and tracks who has access to PII files or records. This person should be the first person notified in the event information is misplaced or lost. This way, a response team can be alerted to follow a pre-established protocol regarding information containment as well as implement the steps which need to be taken at that time by the company or agency.

Security Check: Reducing Risks to your Company

When consumers open an account, register to receive information, or purchase a product from your business, it’s very likely that they entrust their personal information to you as part of the process. If their information is compromised, the consequences can be far-reaching. Consumers, if victimized by the data exposure, can become less willing – or even unwilling – to continue to do business with you.

Company Rules

Now it is more important than ever that companies have established, well-document policies for the collection, storage, protection and disposal of personal information. More companies are finding themselves being held responsible for the data they collect. This becomes apparent when a company has a data breach that is nothing more than a classic mishandling of information. Across the United States, attorneys are holding these companies to a higher standard. The companies that do not have clearly defined programs and policies find themselves unable to defend themselves in a court of law. It is imperative to put all protocols in writing.

If it is not in writing, then there is little or nothing to protect you in a court of law. A verbal policy is not really a policy.

When adopting a “Best Practices” strategy, consider the following:

  • What information does your business need to function?
  • What information is required to function?
  • What is the risk versus reward value of additional information?
  • When evaluating your business’ security, you need to follow the flow of information so you can identify the potential problem spots.

Some Questions to Ask Yourself

Do you receive or collect PII from:

  • your customers?
  • credit card companies?
  • banks or other financial institutions?
  • credit bureaus?
  • any other source?

How does your business receive or collect personal information?
Does it come to your business:

  • through a website?
  • by email?
  • through U.S. Mail?
  • transmitted through cash registers in stores?
  • by face-to-face interactions?

What kind of information do you collect at each entry point?

  • Social Security numbers
  • Credit card numbers
  • Driver’s license numbers
  • Checking account information
  • Other financial account information
  • Passwords
  • Other general information (such as telephone, address, date of birth)

Where do you keep the information you collect at each entry point?
Is it in maintained or stored in/on:

  • a central computer database?
  • individual laptops?
  • disks or tapes?
  • file cabinets?
  • branch offices?
  • an employee’s home files?

Who has or could have access to the information?

  • All employees
  • Selected employees
  • Consultants
  • Service providers
  • Outside sub-contractors*
  • Temporary/employment agency
  • Non-employees on official business
  • General public

* for example, billing department, janitorial, call center, laboratory, marketing firms, payroll, credit card processing company, check processing company, mail fulfillment house

If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. Don’t even collect it. If you have a legitimate business need for the information, keep it only as long as it is necessary.

The most effective data security plans deal with four key elements: physical security, electronic security, employee training, and the security practices of business relationships.

Related Resources:

  • FTC’s Red Flag Rule: Guidelines for creating and implementing a written Identity Theft prevention plan:

This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to