13
Secure paper, physical media, and devices.
Network security is a critical consideration, but many of the same lessons apply to
paperwork and physical media like hard drives, laptops, flash drives, and disks. FTC
cases oer some things to consider when evaluating physical security at your business.
Securely store sensitive files.
If it’s necessary to retain important paperwork, take steps to keep it secure. In the
Gregory Navone case, the FTC alleged that the defendant maintained sensitive
consumer information, collected by his former businesses, in boxes in his garage. In
Lifelock, the complaint charged that the company left faxed documents that included
consumers’ personal information in an open and easily accessible area. In each case,
the business could have reduced the risk to their customers by implementing policies to
store documents securely.
Protect devices that process personal information.
Securing information stored on your network won’t protect your customers if the data
has already been stolen through the device that collects it. In the 2007 Dollar Tree
investigation, FTC sta said that the business’s PIN entry devices were vulnerable
to tampering and theft. As a result, unauthorized persons could capture consumer’s
payment card data, including the magnetic stripe data and PIN, through an attack known
as “PED skimming.” Given the novelty of this type of attack at the time, and a number
of other factors, sta closed the investigation. However, attacks targeting point-of-sale
devices are now common and well-known, and businesses should take reasonable steps
to protect such devices from compromise.
Keep safety standards in place when data is en route.
Savvy businesses understand the importance of securing sensitive information when
it’s outside the oce. In Accretive, for example, the FTC alleged that an employee left
a laptop containing more than 600 files, with 20 million pieces of information related to
23,000 patients, in the locked passenger compartment of a car, which was then stolen.
The CBR Systems case concerned alleged unencrypted backup tapes, a laptop, and an
external hard drive – all of which contained sensitive information – that were lifted from
an employee’s car. In each case, the business could have reduced the risk to consumers’
personal information by implementing reasonable security policies when data is en route.
For example, when sending files, drives, disks, etc., use a mailing method that lets you
track where the package is. Limit the instances when employees need to be out and
about with sensitive data in their possession. But when there’s a legitimate business
need to travel with confidential information, employees should keep it out of sight and
under lock and key whenever possible.
10