Every organization – from a small nonprofit to a large corporation – keeps sensitive personal information in their files that identifies customers and employees. This “personal identifying information” can include names, Social Security numbers, credit card, license, and account data.

But if sensitive data – even as simple as someone’s name – falls into the wrong hands, it can lead to fraud, embezzlement, identity theft, and other crimes that harm either the customer and employee or your business. Losing the trust of your customers or defending yourself or your company against a lawsuit is at stake, and what business can afford that risk?

What is our federal government doing to protect consumers and business owners? The Federal Trade Commission (FTC) has served as the chief agency on privacy policy and enforcement since the 1970s when it began enforcing one of the first federal privacy laws: the Fair Credit Reporting Act. Since then, technology has raised new privacy challenges in protecting information but the FTC has maintained vigilance in taking law enforcement action to make sure companies live up to their promises for securing sensitive consumer data.

It’s no surprise that identity theft topped the FTC’s national ranking of consumer complaints for the 15th consecutive year. Fake debt collection and imposter scams (particularly about the IRS) round out the top three. A business of any size has legal obligations to protect data from a breach and, depending on the industry in which you operate, must follow rules (Red Flags Rule, the COPPA Rule, FTC’s Disposal Rule), regulations (Gramm-Leach-Bliley Act) and specific industry guidelines to do the same.

How can you protect your business from a data breach? Here are five steps to take:

1. Conduct background checks. A well-trained and screened workforce is the best defense against identity theft and data breaches. Check references and do background checks before hiring employees and contractors who will have access to sensitive data. Investigate the background screening company of your choice to ensure that they are accredited by the National Association of Professional Background Screeners. Such accredited firms will utilize data security practices that meet the highest possible standards.

2. Shred and pare down your records. Dispose of credit reports, receipts, CDs and any paperwork with sensitive data printed on it, as many data compromises happen the old-fashioned way – through lost or stolen paper documents. This is not to say that electronic security is preferred, but an encrypted, e- security system managed by an independent professional is recommended.

3. Follow state law. Because there are no federal standards or guidance for protecting personal identifying information, you should comply with your state law. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of personal identifying information. Many require a risk-based information security program be in place, and outline the proper notification steps. See this link for data breach notification laws in your state.The laws are always changing so use this as a guide, but always check the latest laws directly with your state and/or your privacy attorney.

4. Be pro-active. Put measures in place now, as though you were defending yourself and your company from a lawsuit due to a security breach. Planning and reacting on paper without having to face the stress of an actual breach makes sense, when emotions are not running wild. Assess the vulnerability of any foreseeable attacks, breaches and issues and determine the steps necessary to protect your physical and electronic records at all times. From locking file cabinets and restricting employee access to running anti-spyware programs and securing electronic information in transit over the Internet, don’t leave any stone unturned – even if it’s a basic or obvious protection step.

5. Train your staff. Your information security plan is only as strong as the employees who will implement it. Initial and periodic training will help place an importance on everyday behaviors in keeping personal information secure and confidential. Consider limiting access to personal information to employees on a “need to know” basis. Be sure to have a procedure in place for what to do when workers leave your employment, such as terminating passwords, collecting keys and ID cards.

Creating a culture of security is vital to protecting your business from data breaches and other problems associated with ‘leaking’ personal information. Taking steps now to safeguard such information before any breaches occur is smart and demonstrates a deep, value-based sense of professionalism and integrity in your business operations.

Source: Federal Trade Commission, “Protecting Personal Information: A Guide for Business.” For a free booklet, email info@hireimage.com or call Hire Image at (888) 433-0090