Failure to manage outdated privacy policies is more of a problem than you realize.
If you’re in business, chances are you have some type of client information stored in digital or hard files. Processing orders for products and services most often requires full names, addresses, credit card information and other customer profile data. Employees have to supply their social security numbers for tax documents and payroll. Some companies even request customers’ SSNs as identification, whether it’s necessary or not.
The problem lies with compromised information that’s more than an inconvenience for customers and you. If someone hacks client, business, or employee information, you become liable for the damages. You will lose customers, the strength of your brand, and may even become the defendant in lengthy lawsuits, all of which costs your company money and opportunities.
Strengthening your privacy policies is a core step in your data security strategy, as well as training staff to help in the fight against security breaches.
Federal Trade Commission (FTC) Fair Information Practice
The FTC has organized some best practices for privacy policies based on laws the U.S. has in place to protect customer information. They’ve extracted requirements from the following policies to give you guidelines on how you should handle sensitive information and privacy policies within your company:
Right to Financial Privacy Act
Fair Credit Reporting Act
Cable Television Protection and Competition Act
Video Privacy Protection Act
Electronic Communications Privacy Act
While many of the practices focus on websites and online companies, it’s a foundation for all companies to follow in an effort to protect their data and clients. Here’s a summary of what you should do to comply with the FTC Fair Information Practice:
At a minimum, notify users when you collect their personal information and how you plan to use it.
Give customers a preference on if they want you to continue using their information or in what manner you have permission to use it.
Customers should have the right to see any of their information you’re using or storing.
Make it easy for customers and employees to view and access company privacy policies.
Post privacy policies at a specific location within your store or office and have a clearly visible link to privacy policies online.
Protect your company from lawsuits and minimize business risk
Prevent identity theft and data compromises
Retain satisfied customers who are confident in your business
Preserve and protect your brand from a negative outlook based on data breaches
Keep employee information safe and reduce turnover
Have confidence in your staff and their ability to properly handle sensitive client information
The Federal Trade Commission has strategic steps they advise companies to use when composing or updating privacy policies:
Step 1: Review documents to get an account of the sensitive data you’re storing in digital or hard copy format. Work with the entire company to gather information on what documents you have. Start with breaking it down by department to question each area on how they receive and use information and what they have. From there, account for data on all systems including laptops, desktops, tablets, phones, drives, disks, copiers, cash registers, portable merchant devices (square or PayPal here swipe) and any other digital devices. Review your storage or filing system to document the type and amount of hard data you have.
Step 2: Purge documents, keeping only what you need to complete business functions. Even if you need to use certain information to complete services or transactions, decide if you can get rid of it once you complete the transaction. For instance, you don’t need to store credit card information unless clients agree to set up a recurring draft for repeat services.
If you’re required to keep documents on file for a certain period, like tax documents or credit reports, make a note of the date and time you can get rid of them. Use this as an opportunity to create a new system for collecting and/or storing only necessary information.
Step 3: Secure information you do need to keep in your system, and only allow staff to access personal information as needed to complete their duties. Beef up security for all areas where you transport, store, and manage sensitive information. Encrypt email and fax communications, and keep virus and malware protections updated.
Step 4: Destroy information you don’t need, using a secure data destruction and paper shredding service. Once you’ve separated the necessary from the unnecessary information, don’t just toss it in the garbage. Hard drives retain some of the most critical data that criminals can access to steal confidential details. Use a certified company that can securely manage destruction of sensitive documents in all forms.
Step 5: Create a plan to prevent or minimize data security problems and add it to your risk management strategy. Now is the time to fix outdated privacy policies or create a new one.
You also need to have definite action steps the company should follow in the event of a data breach. Having the right security and updated office technology solutions is paramount.
Why privacy policies are important and how employees can help maintain customer privacy.
The importance of having strong passwords.
Keeping information confidential by not leaving it unattended, not sharing processes, and locking computers and digital devices.
Avoid the Pitfalls of Outdated Privacy Policies and Untrained Staff
At PROSHRED® Philadelphia, we are a paper shredding service with NAID certification and can professionally shred your confidential materials on site, so your sensitive information doesn’t leave your location until it is completely destroyed. If you are interested in one of our data destruction or information security services, contact us today to schedule an appointment!