Business Solutions Center
Security Center


Home Resources Security Center Keeping Customer and Employee Information Safe

Keeping Customer and Employee Information Safe

Keeping Customer and Employee Information Safe

Most individuals now realize how critical it is to protect their personal information. Awareness of personal identity theft has increased over the years, especially as high profile commercial data breaches have occurred. Consumers not only understand the importance of safeguarding their personal information on their own, but they also expect businesses to do so as well.

For businesses, protecting customer information is also the law.

The Fair and Accurate Credit and Transactions Act (FACTA) requires businesses to destroy personal information obtained from customers and employees before it can be discarded.

This means if you don't have a shredder, you should get one. Whether you own a multi-million dollar business, employ a personal assistant, or anything in between, if you obtain information about an employee or customer, you must destroy any information you no longer need such as:

  • Financial account information
  • Social Security numbers
  • Driver's license information
  • Medical histories
  • And so on – Talk to a lawyer about what information you may have that may be subject to FACTA.

For example, you may have:

  • Checked Social Security numbers, references, and credit history for potential employees
  • Acquired employee bank account information to make direct payroll deposits
  • Checked a customer's credit report before offering a loan or extending credit
  • Received customer credit card information during a sale

If you take no other steps, buy a shredder today if you don't have one, and seek legal advice to determine what options are available to destroy electronic data. Shredders come in all sizes and price ranges, ranging from large industrial shredders costing thousands of dollars to small "personal" shredders costing around $30. For most small business needs, a heavy-duty personal shredder should be just fine.

But that's really just the beginning. No matter how you received the information, if you decide to throw documents away, you should destroy them first. Here are tips to help you protect information you don't plan to dispose of:

  • Restrict access to sensitive data to a "need to have access to" basis. If an employee doesn't need access, don't grant it.
  • Reward employees who identify security issues or potential threats. Make it everyone's job to keep customer information - and employee information - safe and secure.
  • Secure files, documents, and electronic data. Lock up documents when not in use. Limit access to only those employees who need access. Password-protect computers and electronic files. And again, shred any document you don't need to save.
  • Use a secure connection to transmit customer data. Transport Layer Security (TLS) or Secure Sockets Layer (SSL) may be used to protect credit card and other financial data transmitted via the Internet.
  • Encrypt files or data you store or send via the Internet.
  • "Wipe" your electronic files. Simply hitting "delete" doesn't permanently delete electronic information. A wiping program must be used to permanently delete unnecessary electronic data.
  • Develop a response plan in the event data is compromised. Determine ahead of time who to notify (banks, lawyers, law enforcement, customers, credit bureaus, etc.) Take action immediately; your customers would rather hear about problems - and what you plan to do to overcome the problem - from you rather than from someone else.

What happens if you don't protect customer information adequately? You could face:

  • Federal fines. The federal government could fine you for each violation.
  • State fines. States can also fine you for each violation.
  • Class-action lawsuits. If a number of people are affected, they may be able to bring class-action suits and get punitive damages.
  • Civil liability. The victim could be entitled to recover actual damages sustained, and you could also be required to pay statutory damages.

Protecting your customers and employees by putting practices into place that protect sensitive information is not just the law, it’s good business. Certainly you’d rather deal with businesses that have these types of policies too.

The information included on this website is designed for informational purposes only. It is not legal, tax, financial, or any other sort of advice; nor is it a substitute for such advice. The information on this site may not apply to your specific situation. We have tried to make sure the information is accurate, but it could be outdated or even inaccurate, in parts. It is the reader's responsibility to comply with any applicable local, state, or federal regulations, and to make their own decisions about how to operate their business. Nationwide Mutual Insurance Company, its affiliates, and their employees make no warranties about the information, no guarantee of results, and assume no liability in connection with the information provided.