This week, we welcome Guest Blogger Bill Hess, Founder of Pixel Privacy.
Every company retrieves sensitive information from new employees to identify them, running checks, and payment. Companies keep this information in physical files or on computer databases.
It’s essential to the individual employee and your reputation as a business owner to keep this information safe and secure. If you are not following the proper procedures for storing and disposing of employee data you are leaving yourself open to fraud, identity theft, and lawsuits.
Depending on your business and the size of your operation you could take this matter into your own hands or outsource it to a professional. Either way, you need to make these steps to keep yourself and your employee's personal data safe.
Keep Track Of Everything
In your company, you should know every place where personal information is received, stored, sent and disposed of. The FTC recommends going around and taking notice of all the places you store employee information such as computers, mobile phones, flash drives, copiers, and personal computers.
Take inventory of where all employee files are and how they get stored. Is everything stored in an area that is quickly accessible by an intruder or is the information locked up in a secluded filing cabinet?
What do these files look like? Are they stored neatly in a way that someone would know if something is missing? If not, maybe you should look at the way you are storing physical information and see if you can improve.
Get a complete understand where your information is coming from and who is sending it to you. When you are doing business on and offline its essential to know which areas of information come from where. If you have job applications and background checks coming in through email and in person how are they being tracked, stored and disposed of?
Equally as important is how you audit this information once it is stored in your business. Who has access to this information? Could this person become an issue if they were to steal anything? Does that person need access to the information?
It’s critical that you have a step by step action plan for information that is received by your company.
Where is the information coming from?
- How do you receive this information?
- Where do you transfer the information once it is received?
- Who has access to this information?
You can follow this process on an individual basis depending on what kind of information you are receiving.
For example, you would treat job applications much differently than credit checks. Handle each accordingly, but always have a guideline to follow.
Only Keep What Is Necessary
Do not keep an abundance of excess files. Get in the habit of going through and disposing of data you no longer need. Also, do not keep things like social security numbers for purposes other than the necessities. If you used it for a background check on a job application, dispose of that once everything checks out and you have hired the person.
Never use confidential information as an employee ID number.
If your business requires employee credit card information, do not store it or keep it for longer than you need. Once you have completed the action necessary, dispose of that information correctly. This prevents identity theft and fraud issues from arising.
Only grant access to this information to the people who need it. If the information is not necessary to do their job on a daily basis, they should not have access to the private data.
Keep The Information Secure
It’s critical that you have a data security plan in your company. This goes for physical files as well as digital ones. Everyone in the company should receive training on how you secure files and protect the company data on the internet. One of the best ways to secure digital files is through encryption. A study done by Sophos (as shown above) shows that most companies think encryption is important to protecting employee information.
- Store personal files in a locked file cabinet and limit access to employees who have a regular need to enter the cabinet. Do not store these files in an open area near exits or an individual’s office.
- Require that employees only access the file when there is a legitimate need to use it and that it is returned immediately upon completion of the task. Do not leave files out longer than they have to be.
- Be sure that files get put away, and cabinets get locked at the end of the day. Require that every office has its own individual key that only the holder of that office has the key.
- Have an operating procedure for how employees handle an unidentified person in the office.
- Implement keypads and security cameras in high-risk areas where confidential information gets stored.
- Limit the computer systems that can access digital records and keep them all password protected.
- Only allow access to individuals with a direct need to see that information.
- Encrypt personal data that gets sent through public networks as well as emails sent outside of business email accounts.
- Keep computer systems up to date on virus protection and malware protection.
- If you need to access any data remotely on an unfamiliar network, always use a VPN.
- Have a maintenance plan centered around backing up important company documents and storing them on (locked up) flash drives and on cloud storage.
PixelPrivacy.com is all about making the world of online security accessible to everyone. We pride ourselves in writing guides that we’re certain even our own mothers could understand! Be sure to head over to our blog if you’re interested in keeping your private information just that: Private!
Guest Blogger, Bill Hess, Founder of Privacy Pixel