Freedom Friday HR Question was Asked by Tisha Hammond☆Small Business Cheerleader, CEO of Accent Small Business Promotion, LLC
What are three (3) best practices small business owners can use when collecting personally identifiable information (pii) from contractors, employee's, buyers, suppliers, etc?
Personal Identifiable Information (PII) is ― any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Some examples of PII include, but are not limited to:
Name, such as full name, maiden name, mother‘s maiden name, or alias
Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, or financial account or credit card number
Address information, such as street address or email address
Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry)
Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).
The likelihood of harm caused by a breach involving PII is greatly reduced if an organization minimizes the amount of PII it uses, collects, and stores. For example, an organization should only request PII in a new form if the PII is absolutely necessary. An organization should also, regularly review its holdings of previously collected PII to determine whether the PII is still relevant and necessary for meeting the organization‘s business purpose and mission. For example, organizations could have an annual PII purging awareness day, and:
Review current holdings of PII and ensure they are accurate, relevant, timely, and complete.
Reduce PII holdings to the minimum necessary for proper performance of agency functions
Develop a schedule for periodic review of PII holdings
Establish a plan to eliminate the unnecessary collection and use of SSNs.
Steps to protect PII and your Company:
Create Policies and Procedures. Organizations should develop comprehensive policies and procedures for protecting the confidentiality of employees, customers, vendors, etc.
Conducting PII Training. Organizations should reduce the possibility that PII will be accessed, used, or disclosed inappropriately by requiring that all individuals receive appropriate training before being granted access to systems containing
Implement Access Control for Mobile Devices. Organizations can prohibit or strictly limit access to PII from portable and mobile devices, such as laptops, cell phones, and personal digital, which are generally higher-risk than non-portable devices (e.g., desktop computers at the organization‘s facilities).
Use Access Enforcement. Organizations can control access to PII through access control policies and access enforcement mechanisms (e.g., access control lists).
Provide Transmission Confidentiality. Organizations can protect the confidentiality of transmitted PII. This is most often accomplished by encrypting the communications or by encrypting the information before it is transmitted.
Assure the database is only accessed by a few people who investigate fraud, waste, and abuse claims. All access to the database occurs only from the organization‘s internal systems.
our first variables to know about the handlers of PII in your Company:
Who sends sensitive personal information to your business. Do you get it from customers? Credit card companies? Banks or other financial institutions? Credit bureaus? Job applicants? Other businesses?
How your business receives personal information. Does it come to your business through a website? By email? Through the mail? Is it transmitted through cash registers in stores?
What kind of information you collect at each entry point. Do you get credit card information online? Does your accounting department keep information about customers’ checking accounts?
Where you keep the information you collect at each entry point. Is it in a central computer database? On individual laptops? On a cloud computing service? On employees’ smartphones, tablets, or other mobile devices? On disks or tapes? In file cabinets? In branch offices? Do employees have files at home?
Who has—or could have—access to the information. Which of your employees has permission to access the information? Do they need access? Could anyone else get a hold of it? What about vendors who supply and update software you use to process credit card transactions? Contractors operating your call center?
Different types of information present varying risks.
Pay particular attention to how you keep personally identifying information: Social Security numbers, credit card or financial information, and other sensitive data. That’s what thieves use most often to commit fraud or identity theft.
We are in a society where laptops are owned and housed by everyone. In fact laptop security is CRITICAL!