What are three (3) best practices small business owners can use when collecting personally identifiable information (pii) from contractors, employee's, buyers, suppliers, etc?

Freedom Friday HR Question was Asked by Tisha Hammond☆Small Business Cheerleader, CEO of Accent Small Business Promotion, LLC

 

 

What are three (3) best practices small business owners can use when collecting personally identifiable information (pii) from contractors, employee's, buyers, suppliers, etc?

 

 

Personal Identifiable Information (PII) is ― any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

 

 

 

Some examples of PII include, but are not limited to:

  • Name, such as full name, maiden name, mother‘s maiden name, or alias

  • Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, or financial account or credit card number

  • Address information, such as street address or email address

  • Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry)

  • Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).

The likelihood of harm caused by a breach involving PII is greatly reduced if an organization minimizes the amount of PII it uses, collects, and stores. For example, an organization should only request PII in a new form if the PII is absolutely necessary. An organization should also, regularly review its holdings of previously collected PII to determine whether the PII is still relevant and necessary for meeting the organization‘s business purpose and mission. For example, organizations could have an annual PII purging awareness day, and:

  • Review current holdings of PII and ensure they are accurate, relevant, timely, and complete.

  • Reduce PII holdings to the minimum necessary for proper performance of agency functions

  • Develop a schedule for periodic review of PII holdings

  • Establish a plan to eliminate the unnecessary collection and use of SSNs.

 

Steps to protect PII and your Company:

  • Create Policies and Procedures. Organizations should develop comprehensive policies and procedures for protecting the confidentiality of employees, customers, vendors, etc.

  • Conducting PII Training. Organizations should reduce the possibility that PII will be accessed, used, or disclosed inappropriately by requiring that all individuals receive appropriate training before being granted access to systems containing

  • Implement Access Control for Mobile Devices. Organizations can prohibit or strictly limit access to PII from portable and mobile devices, such as laptops, cell phones, and personal digital, which are generally higher-risk than non-portable devices (e.g., desktop computers at the organization‘s facilities).

  • Use Access Enforcement. Organizations can control access to PII through access control policies and access enforcement mechanisms (e.g., access control lists).

  • Provide Transmission Confidentiality. Organizations can protect the confidentiality of transmitted PII. This is most often accomplished by encrypting the communications or by encrypting the information before it is transmitted.

  • Assure the database is only accessed by a few people who investigate fraud, waste, and abuse claims. All access to the database occurs only from the organization‘s internal systems.

 

 

our first variables to know about the handlers of PII in your Company:

  • Who sends sensitive personal information to your business. Do you get it from customers? Credit card companies? Banks or other financial institutions? Credit bureaus? Job applicants? Other businesses?

  • How your business receives personal information. Does it come to your business through a website? By email? Through the mail? Is it transmitted through cash registers in stores?

  • What kind of information you collect at each entry point. Do you get credit card information online? Does your accounting department keep information about customers’ checking accounts?

  • Where you keep the information you collect at each entry point. Is it in a central computer database? On individual laptops? On a cloud computing service? On employees’ smartphones, tablets, or other mobile devices? On disks or tapes? In file cabinets? In branch offices? Do employees have files at home?

  • Who has—or could have—access to the information. Which of your employees has permission to access the information? Do they need access? Could anyone else get a hold of it? What about vendors who supply and update software you use to process credit card transactions? Contractors operating your call center?

  • Different types of information present varying risks.

  • Pay particular attention to how you keep personally identifying information: Social Security numbers, credit card or financial information, and other sensitive data. That’s what thieves use most often to commit fraud or identity theft.

Laptop Security

We are in a society where laptops are owned and housed by everyone.  In fact laptop security is CRITICAL!

  • Restrict the use of laptops to those employees who need them to perform their jobs.

  • Assess whether sensitive information really needs to be stored on a laptop. If not, delete it with a “wiping” program that overwrites data on the laptop.  Deleting files using standard keyboard commands isn’t sufficient because data may remain on the laptop’s hard drive. Wiping programs are available at most office supply stores.

 

Additional Steps you should train and implement TODAY, if you have not already done so:

  1. Only collect PII that is absolutely necessary to meet the needs of the organization’s mission. In other words, if you retrieve a form seeking PII – a general form. Take our all requests on the form information that is irrelevant to your company’s mission and needs. Revise to form to collect only the necessary information. 

  2. Do not leave files or documents containing PII or tax return information unsecured and unattended on desks, printers, personal computers, phones or other electronic devices, and fax machines.

  3. Do not send or forward e-mails with PII to personal e-mail accounts (e.g., Yahoo, Gmail).

  4. Protect e-mails that contain PII (e.g., encryption).

  5. Do not upload PII to unauthorized websites (e.g., wikis).

  6. Do not use unauthorized mobile devices to access PII.

  7. Lock up portable devices (e.g., laptops, cell phones).

Click below to receive a free Incident Response Policy and Plan!