Most businesses collect some sort of personal information on their clients, customers, or employees. But not all of them are scrupulous in how they guard that information from theft or misuse. Companies that keep customer or employee identification numbers, income, personal references, employment history, health records, or other important data have a responsibility - in some cases, a legal responsibility - to keep that information safe.
Smart Answers columnist Karen E. Klein recently spoke with Jordana Beebe, communications director of San Diego-based Privacy Rights Clearinghouse, a nonprofit consumer advocacy organization, about identity theft, a new set of business privacy guidelines released by the Better Business Bureau, and how both companies and consumers can protect themselves as more and more information goes digital. Edited excerpts of their conversation follow:
Q: Why the need for a privacy-rights organization?
A: We focus on both consumer rights and privacy-related issues. Since we formed in 1992, when the Computer Age was really taking off, it has become easier for anyone to aggregate personal information. More and more, we see databases that contain our personal information. Although [that information is] not always used inappropriately, we want to raise consumers' awareness of how their privacy is being impacted.
Q: The first privacy rule from the BBB is "If you don't need it, don't collect it." Why do businesses today ask for so much personal information on their clients?
A: A lot of times, the marketing department wants to better target potential new customers by getting detailed information on the company's current customer base. That's understandable, but many businesses are tempted to collect a lot more information than they really need, making them good targets for information thieves.
Many times, customers are concerned about handing over personal information, because once they do, they know it's out of their control. All that data can fall into the hands of a computer hacker or a dishonest employee. Some of it can be sold to telemarketers or purveyors of junk mail.
Our sense is that customers are more willing to spend their dollars with companies that protect their information and don't pry into their personal lives just so the marketing department can aggregate information and categorize them.
Q: What about information that's truly necessary to complete a transaction?
A: There's nothing wrong with collecting necessary information. But if you aren't required by law to keep that information, and you will rarely need it in the future, you should get rid of it, not file it away for posterity. If it's disposed of carefully, there's no risk that it will be stolen. In fact, in California, we have a document-destruction law. It says if you have paper records and don't need them, you have to make sure they're properly destroyed.
Q: What constitutes proper destruction?
A: You should shred or incinerate customer and employee records on paper. If you are getting rid of computers, make sure your hard drives are "scrubbed" of data first. Even the smallest company can afford a cheap paper shredder these days. If they don't use it, sensitive papers wind up in the hands of dumpster divers looking to perpetrate identity theft or make unauthorized credit charges.
Even if someone doesn't go looking for the information deliberately, it could fall into the wrong hands on the way to the dump on a windy day. We're talking about merchant copies of credit-card receipts that contain full credit-card numbers or paperwork with Social Security numbers on it. There are some facts about records destruction at the Web site of the National Association for Information Destruction.
Q: What about records your company needs to keep for legal or financial reasons?
A: Make sure they're kept securely. A recent university study showed that more than half of identity theft is perpetrated by dishonest employees. So the first thing you want is to do background checks on your new hires to make sure they haven't had problems in the past.
We had a report about a new employee with a history of prior financial crimes coming into a company that didn't check out his background. He got access to an unlocked filing closet and not only used customers' Social Security numbers illegally but also gave them to other employees and taught them how to do the same thing. Remember, not everyone in your company needs access to the personal data you keep. Make sure sensitive information is kept under lock and key, and that those who have access to it are absolutely above-board.
Q: Here's another tip from the BBB: "Do not broadcast personal information." What's that about?
A: That's about training your employees not to ask for birthdates or identification numbers in areas where others can overhear the answer. Customers can write down the information on a piece of paper. Also, making sure their computer screens are turned away from public view when they bring up account numbers or addresses and phone numbers.
Similarly, you don't want to put personal information in a mailing or invoice where the numbers can be read through the viewing window in the envelope. And you ensure that your employees don't give out personal information to just anyone who calls or shows up asking for it. We hear too often about people whose personal information was accessed by a crook posing as them.
Put passwords on your customer and supplier accounts, and make sure your employees ask for them, or your systems require them all the time. All this is part of being aware of guarding privacy rights.
Social Security numbers are particularly sensitive, because identity thieves have been able to pull off frauds just by getting a hold of those numbers, even if they don't have a date of birth or a proper address. So encourage your customers and employees never to use their Social Security numbers as account numbers or passwords.
If you have collected data and use Social Security numbers to organize it, it's time to phase that system out. In California, we have a law that says if you're a private company, you can't send correspondence that contains a person's Social Security number, unless it's legally mandated. Other states are pursuing similar laws.
Q: The final BBB rule has to do with physical security at the place of business. How important is that?
A: Extremely important. We've heard of thieves just going into offices that aren't secured and walking off with databases and computer servers. Your hardware should be secured - literally locked down if need be - and your files should be locked at all times. After hours, make sure your offices and warehouses are secured and alarmed.
Q: What specific issues apply to protecting privacy for your employees?
A: The big issue is workplace monitoring. Companies may have keystroke loggers so they can see what their employees are writing and check their Web-surfing habits and chat sessions. They may have surveillance cameras in the workplace or global-positioning-system tracking on company vehicles or wireless devices.
We recommend that if companies are going to do that, they should inform their employees. Why set an invisible trap for your staff? Provide them with information about what type of monitoring exists, and they won't abuse their time. Have a question about your business? Ask our small-business experts. Send us an e-mail at Smart Answers, or write to Smart Answers, BW Online, 45th Floor, 1221 Avenue of the Americas, New York, N.Y. 10020. Please include your real name and phone number in case we need more information; only your initials and city will be printed. Because of the volume of mail, we won't be able to respond to all questions personally.