Data Security for Businesses

With identity theft becoming a major issue in the United States, both state as well as federal governments have enacted stringent laws to prevent identity theft. These laws require business organizations to maintain data security with regard to personal information of customers. But even in the absence of such strict laws in India, it makes a lot of sense for business entities to maintain at least a certain degree of data security to safeguard personal information since leakages can not only lead to litigation through various existing legal provisions but also loss of credibility and customer trust, erosion of brand equity and of course, a bad Press. Sometimes, especially, financial institutions, retail outlets and other manufacturing and service units in the B2C space can end up running up huge losses in the form of unrecoverable credit exposure arising from fraudulent use of customer identities. This article takes a look at some of the ways businesses can avoid such problems.

Identity theft experts have discovered that in many cases dishonest employees in the workplace get hold of sensitive personal information of employees and customers and disclose it to identity thieves.

One of the keys to preventing identity theft, therefore, is to safeguard personal information within the workplace, whether it’s a business, government agency, or nonprofit. Targets for identity thieves include credit/debit card numbers, driver’s license numbers, financial account numbers, PINs, passcodes, and dates of birth.

One of the several organizations leading the fight against identity theft and upholding privacy rights of individuals is “Privacy Rights Clearinghouse”: has come out with a list of suggestions as to what businesses can do to safeguard personal information. Some of these suggestions modified in the light of Indian conditions is given below:

* Adopt a comprehensive privacy policy that includes responsible information-handling practices. Appoint an individual and/or department responsible for the privacy policy – someone who can be contacted by employees and customers with questions and complaints.

* Store sensitive personal data in secure computer systems. Encrypt! And make sure your wireless network is protected with the proper security settings. Store physical documents in secure spaces such as locked file cabinets. Data should only be available to qualified persons.

* Dispose of documents properly, including shredding paper with a cross-cut shredder, “wiping” electronic files, destroying computer drives and CD-ROMs, and so on.

* Build document destruction capabilities into the office infrastructure. Place shredders around the office, near printers and fax machines, and near waste baskets. Use cross-cut (confetti) shredders rather than strip-shredders. Make sure dumpsters are locked and inaccessible to the public.

* Conduct regular staff training, including new employees, temporary employees, and contractors.

* Conduct privacy “walk-throughs” and make spot checks on proper information handling. Reward employees and departments for maintaining “best practices.”

* Put limits on data collection to the minimum information needed. For example, is the credit/debit card/bank account number really required? Is complete date of birth needed, or would year and month be sufficient?

* Put limits on data display and disclosure. Do not print personal identifying information on paycheques, parking permits, staff badges, time sheets, training program rosters, lists of who got promoted, on monthly account statements, on customer reports, and so on. Do not print such information on mailed documents or require that they be transmitted via the Internet unless it is absolutely necessary.

* Restrict data access to staff with legitimate need to know. Implement electronic audit trail procedures to monitor who is accessing what. Enforce strict penalties for illegitimate browsing and access.

* Conduct employee background checks, especially for individuals who have access to sensitive personal information. Screen cleaning services, temporary services, and contractors.

* Safeguard mobile devices that contain sensitive personal data, such as laptops, Blackberries, PDAs, and mobile phones. These are a favorite target of thieves.

* Notify customers and/or employees of computer security breaches involving sensitive personal information. Also notify individuals when security breaches involve paper records.

* Develop a crisis management plan to be used if sensitive employee or customer data is lost, stolen, or acquired electronically. The plan should include instructions to prevent identity theft if credit/debit card numbers and/or financial account numbers are obtained illegitimately.

* Regularly audit compliance with all in-house information-handling practices and privacy policies.

To summarize, businesses must ensure that all employees from the CEO down to the janitor are sensitized to the threat of identity theft and that they make it their business to handle personal information responsibly in the workplace. Don’t make the workplace a breeding ground for identity theft.

Although “privacy laws are yet to be enacted in India,”: it is only a matter of time before they are put into place. Prime Minister Manmohan Singh and Nasscom have announced off and on that amendments will be made to the IT Act 2000 to put in place personal privacy laws but there seems to be complete ignorance among Indian politicians regarding the need for privacy protection laws that require all businesses to comply with measures to protect personal information.

The existing laws do provide enough data protection to foreign clients of BPO/KPO companies but there is no law that requires all businesses to comply with certain specific measures to ensure data protection. But with incidents of identity threat increasing daily it is just a matter of time before consumer rights groups and consumer activists demand and get such laws.

When that happens businesses which already have a privacy policy in place will have an edge. Even in the absence of such laws, businesses having a privacy policy in place will be better equipped to operate in the global market as most global customers are very sensitive about protection of personal privacy.
So if you do not already have a privacy policy in place, start working on one. Sensitizing managements to the threat of identity theft can be a very good starting point!