Information Compiled by: Kathy Linscott, NACM Commercial Services
Content from Experian and Fair Credit Reporting Act (FCRA)

Companies often keep sensitive personal information about customers or employees in their files or on their network. In today’s world, there is more and more fraud reported all the time. We all hold the responsibility of keeping this information safeguarded. I am sure you have heard the saying, “if you collect it, protect it!” Some rules to follow:

• Have strong privacy policies in place. Review them at least annually.
• Keep on top of updates for the latest security software, web browser, and operating system to help against viruses and malware. Consider utilizing layers such as a firewall and spam filters. Anti-virus software should be on all systems and must be able to detect, remove, and protect against all known types of malicious software such as viruses, worms, spyware, trojans, and rootkits.
• Employee training is key. They need to be kept up to date on how to protect sensitive information from getting in the wrong hands. Things to consider is how to identify fraud schemes and not to open attachments or click on suspicious links in unsolicited emails.
• Access to personal information should only be assigned to authorized individuals based on the privilege necessary to perform their job responsibilities.
• Create unique user ID’s for each user to enable individual authentication and accountability for their access.
• Don’t forget to block the access of any employees who have left the company or changed their job task and no longer require access.
• Computer access and file cabinets should be kept locked when you are away from your desk. You can implement password protected screensavers with a maximum 15-minute timeout to protect unattended workstations just in case you forget to lock them when you leave your desk.
• All credentials such as usernames/account numbers/passwords must be kept confidential. Do not post them in your office where others can easily access them.
• Passwords should be strong not guessable such as utilizing your name; company name; repeating letters or numbers; and consecutive numbers. You should not utilize the same password for everything, and they should be changed at least every 90 days.
• Social security numbers should be encrypted when stored electronically on any system including servers; computers; laptops; iPads; iPhones; etc.
• When sensitive information is no longer needed, ensure that all hard copies containing sensitive information is put through a crosscut shredder or method that you have assurance the hard copy materials cannot be reconstructed. Even electronic media containing sensitive information should be rendered via secure deletion.