Most companies keep sensitive
personal information in their files and in their
computers—names, Social Security numbers, account
data—that identifies customers or employees.
Companies need information like that to fill
orders, meet payroll or perform other necessary
business functions. But if sensitive data falls
into the wrong hands, it can lead to fraud or
identity theft. Safeguarding sensitive data is
just plain good business. You can take the
following steps to help protect the personal
information of your customers or clients.
Do not collect more personal information
Document the types of personal
information you collect.
Analyze the personal information
being collected to determine if it is necessary to
deliver your services.
Do not retain personal information
longer than legally required and/or necessary
for business purposes.
Determine legal requirements for
Identify business purposes for
retaining personal information and establish
Protect personal information you
collect, use, disclose and retain.
Utilize administrative safeguards
such as information security policies, procedures
Utilize technical safeguards such as
Ensure additional protection methods for
sensitive personal information retained.
Determine the types of sensitive
personal information to secure.
Determine the required level of
Restrict access to personal information
to individuals with a business need to access
Establish a policy for approving
Identify positions authorized to gain
Dispose of personal information
Develop policies and procedures for
Understand legal and regulatory
requirements for disposing of personal
Keep antivirus software and security
Document policies for updating
security patches and antivirus software.
Instill awareness and train employees on
the proper handling of personal information.
Develop a privacy awareness program.
Identify responsibility for providing
Know federal, state and local laws and
the rights consumers and employees have under
Compare business practices to
applicable laws periodically to ensure compliance.
Conduct regular audits to ensure
personal information is protected.
Identify responsibility for
monitoring the protection of personal information.
Source: The AICPA/CICA Privacy Task Force. For
more information on how to ensure your
organization is following good privacy
and download a copy of Generally Accepted
Privacy Principles—A Global Privacy Framework.