by Leonard A. Bellavia, Esq.
When the FTC Safeguards Rule was implemented nearly a decade ago, businesses throughout the United States incurred substantial costs to secure nonpublic personal information from would-be identity thieves and other criminals. Then, most efforts entailed securing files located in cabinets, desks and offices by placing locks on entry points. While businesses must remain vigilant to secure information housed in file cabinets and offices, additional precautions should be adopted to protect information stored electronically.
Nonpublic personal information resides in businesses consumer information management systems. We recently shared how Peer-to-Peer (“P2P”) applications such as Skype or AIM can allow employees to copy electronic data to remote computers. Would-be thieves can also appropriate data by other means. One is by physical access to computer servers housed on-site at your company. Many companies still use servers for their systems, which are often in a room that is left open for access by employees. For someone who is tech savvy, a portable hard drive and physical access to the server is sufficient to copy information from the server for his or her own use. Companies that have migrated to “cloud” based servers are still at risk. In these cases, anyone who has the correct login and password can access sensitive data.
Regardless of whether your business uses a server or “cloud” based services, the FTC Safeguard Rules obligates your business to protect nonpublic personal information. If you have servers on-site, you should secure them in rooms that are locked and limit access to few employees. If you use “cloud” based services, you must diligently protect logins and passwords that could be used to retrieve nonpublic personal information. This means encouraging employees to not write their logins and passwords down in locations that could be easily found and requiring employees to frequently change their passwords. Also, you should audit which logins have access to such information and purge accounts of employees that no longer work at your business.
If you have any questions about your obligation to protect sensitive data, please call us at 631-224-7000.