Data breaches & theft
The following information on how to protect against potential data breaches.
- CONSIDER ANOTHER WAY TO PAY - Try newer ways to pay, such as
PayPal or Apple Pay. Any technology that avoids you having your credit card
in your hand in a store is safer. Those services store your credit card
information and it's not given to the retailer when you make a payment.
Stored-value cards or apps, such as the ones used at coffee chains Starbucks
and Dunkin Donuts, are also a safer bet, because they don't expose credit
card information at the register.
- SIGN IT, DON'T PIN IT - If you're planning on paying with a debit
card, sign for your purchase instead of typing in your personal
identification number at the cash register. You can do this by asking the
cashier to process the card as a credit card or select credit card on the
display. Not entering your PIN into a keypad will help reduce the chances of
a hacker stealing that number too. Crooks can do more damage with your PIN,
possibly printing a copy of the card and taking money out of an ATM.
- BEWARE OF EMAIL SCAMMERS - After big data breaches are exposed,
and get a lot of media attention, scammers come out of the woodwork looking
to steal personal information. Some emails may mention the latest breach or
offer free credit monitoring, but you should never click on the links. Many
are for fake sites that try to steal personal information or passwords.
- KEEP UP WITH CREDIT CARD ACTIVITY - Review credit card activity often for any unauthorized charges. And keep an eye out for smaller charges.
Thieves will charge smaller amounts to test to see if you notice and then
charge a larger amount later. They may also steal a small amount from
millions of accounts, scoring a big payday. Also, take advantage of the many alert features that credit cards companies offer today
- MONITOR CREDIT REPORTS - Check your credit report for any accounts that crooks may have opened in
your name. Credit reports are available for free, from each of the three
national credit reporting agencies — Equifax, Experian and TransUnion —
every 12 months from
http://www.AnnualCreditReport.com. Some monitoring services and credit card companies now allow you unlimited access to credit information, so you could theoretically check every day.
For Small Businesses:
- Keep Only What You Need. Reduce the volume of information you collect and retain to only what is necessary. Minimize the places you store personal data. Know what you keep and where you keep it.
- Destroy Before Disposal. Cross-cut shred paper files before disposing of private information. Also destroy CDs, DVDs and other portable media. Deleting files or reformatting hard drives does not erase data. Instead, use software designed to permanently wipe the drive, or physically destroy it.
- Safeguard Data. Lock physical records in a secure location. Restrict access to employees who need to retrieve private data. Conduct employee background checks and never give access to temporary employees or vendors.
- Update Procedures. Do not use Social Security numbers as employee ID or client account numbers. If you do so, develop another ID system now.
- Establish Password Management. A password policy should be established for all employees or temporary workers who will access corporate resources. In general, password complexity should be established according to the job functions and data security requirements. Passwords should never be shared.
- Secure All Computers. Implement password protection and require re-logon after a period of inactivity. Train employees to never leave laptops or PDAs unattended. Restrict tele-working to company-owned computers and require use of robust passwords that are changed regularly.
- Control Use of Computers. Restrict employee use of computers to business. Don't permit use of file sharing peer-to-peer websites. Block access to inappropriate websites and prohibit use of unapproved software.
- Keep Security Software Up-To-Date. Keep security patches for your computers up to date. Use firewalls, anti-virus and spyware software; update virus and spyware definitions daily.
- Encrypt Data Transmission. Mandate encryption of all data transmissions. Avoid using Wi-Fi networks; they may permit interception of data.
- Manage Use of Portable Media. Portable media, such as DVDs, CDs and USB "flash drives," are more susceptible to loss or theft. Allow only encrypted data to be downloaded to portable storage devices.
- Establish an Approval Process for Employee-Owned Mobile Devices. With the increased capabilities of consumer devices, such as smart phones and tablets, it has become easy to interconnect these devices to company applications and infrastructure. Use of these devices to interconnect to company email, calendaring and other services can blur the lines between company controls and consumer controls. Employees who request and are approved to have access to company information via their personal devices should understand and accept the limitations and controls imposed.
- Govern Internet Usage. Most people use the internet without a thought to the harm that can ensue. Employee misuse of the internet can place your company in an awkward, or even illegal, position. Establishing limits on employee internet usage in the workplace may help avoid these situations. Every organization should decide how employees can and should access the web. You want employees to be productive, and this may be the main concern for limiting internet usage, but security concerns should also dictate how internet guidelines are formulated.
- Manage Email Usage. Many data breaches are a result of employee misuse of email that can result in the loss or theft of data and the accidental downloading of viruses or other malware. Clear standards should be established regarding use of emails, message content, encryption and file retention.
- Govern Social Media. All users of social media need to be aware of the risks associated with social media networking. A strong social media policy is crucial for any business that seeks to use social networking to promote its activities and communicate with its customers. Active governance can help ensure employees speak within the parameters set by their company and follow data privacy best practices.
- Oversee Software Copyright and Licensing. There are many good reasons for employees to comply with software copyright and licensing agreements. Organizations are obliged to adhere to the terms of software usage agreements and employees should be made aware of any usage restrictions. Also, employees should not download and use software that has not been reviewed and approved by the company.
- Report Security Incidents. A procedure should be in place for employees or contractors to report malicious malware in the event it is inadvertently imported. All employees should know how to report incidents of malware and what steps to take to help mitigate damage
How Data Breaches Occur
- Lost or stolen laptops, computers or other computer storage devices
- Backup tapes lost in transit because they were not sent either
electronically nor with a qualified human escort
- Hackers breaking into systems
- Employees stealing information or allowing access to information
- Information bought by a fake business
- Poor business practices - for example sending postcards with Social
Security numbers on them
- Internal security failures
- Viruses, Trojan Horses and computer security loopholes
- Information tossed into dumpsters - improper disposition of information