The FTC Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operation, including three critical areas of information security: Information Systems, Employee Management & Training, and Detecting and Managing System Failures.
This blog post covers Information Systems. Please see Employee Management & Training and Detecting and Managing System Failures blog posts for other areas.
- Know where sensitive customer information is stored and store it securely. Make sure only authorized employees have access.
- When customer information is stored on a cloud storage service, use a strong password and MFA (Multi-Factor Authentication).
- If the customer information is on on a server or other computer, ensure that the computer is accessible only with a "strong" password and is kept in a physically secure area.
- Where possible, avoid storing sensitive customer data on a computer or laptop accessible over the internet. In other words, don't expose your employees' machines to the internet.
- Maintain secure backup records and secure archived data by storing it on the cloud OR offline and in a physically-secure area. If stored on the cloud, ensure there is a strong password and MFA.
- Maintain a careful inventory of your company’s computers and other equipment on which customer information may be stored.
- 💁♂️ Use IT Inventory Management System like Snipe IT
- Ensure that storage areas are protected against destruction or damage from physical hazards, like fire or floods.
- Store records in a room or cabinet that is locked when unattended
- Take steps to ensure the secure transmission of customer information
- When you transmit credit card information or other sensitive financial data, use SSL or other secure connections to protect the information in transit.
- Make secure transmission automatic if you collect information online directly from customers via email, customer support tools, or CRM.
- If you collect information online directly from customers via your website, ensure the transmission is automatic.
- Securely dispose of customer information. For example:
- Consider designating or hiring a records retention manager to supervise the disposal of customer information records. If you hire an outside disposal company, conduct due diligence beforehand by checking references or requiring that the company be certified by a recognized industry group.
- 💁♂️ Use a certified document and hard drive destruction service like Shred It
- Burn, pulverize, or shred papers containing customer information so that the information cannot be read or reconstructed.
- Destroy or or erase data when disposing of computers, disks, CDs, magnetic tapes, hard drives, laptops, PDAs, cell phones, or any other electronic media or hardware containing customer information.