Most companies keep sensitive
personal information in their files and in their
computers—names, Social Security numbers, account
data—that identifies customers or employees.
Companies need information like that to fill
orders, meet payroll or perform other necessary
business functions. But if sensitive data falls
into the wrong hands, it can lead to fraud or
identity theft. Safeguarding sensitive data is
just plain good business. You can take the
following steps to help protect the personal
information of your customers or clients.
Do not collect more personal information
than needed.
Document the types of personal
information you collect.
Analyze the personal information
being collected to determine if it is necessary to
deliver your services.
Do not retain personal information
longer than legally required and/or necessary
for business purposes.
Determine legal requirements for
record retention.
Identify business purposes for
retaining personal information and establish
retention requirements.
Protect personal information you
collect, use, disclose and retain.
Utilize administrative safeguards
such as information security policies, procedures
and standards.
Utilize technical safeguards such as
identity management.
Ensure additional protection methods for
sensitive personal information retained.
Determine the types of sensitive
personal information to secure.
Determine the required level of
security.
Restrict access to personal information
to individuals with a business need to access
the information.
Establish a policy for approving
authorized users.
Identify positions authorized to gain
access.
Dispose of personal information
appropriately.
Develop policies and procedures for
disposal.
Understand legal and regulatory
requirements for disposing of personal
information.
Keep antivirus software and security
patches current.
Document policies for updating
security patches and antivirus software.
Instill awareness and train employees on
the proper handling of personal information.
Develop a privacy awareness program.
Identify responsibility for providing
training.
Know federal, state and local laws and
the rights consumers and employees have under
those laws.
Compare business practices to
applicable laws periodically to ensure compliance.
Conduct regular audits to ensure
personal information is protected.
Identify responsibility for
monitoring the protection of personal information.
Source: The AICPA/CICA Privacy Task Force. For
more information on how to ensure your
organization is following good privacy
practices, visit
www.aicpa.org/privacy
and download a copy of Generally Accepted
Privacy Principles—A Global Privacy Framework. |