1. Securing Personal Data — Start with the Basics


  1. Inventory the TYPES of data you collect, store and/or transmit.
    • Names
    • Physical addresses
    • Residential phone numbers
    • Mobile phone numbers
    • Email addresses
    • Payment card information
    • Account numbers
    • Invoice numbers
    • Social Security numbers
    • Drivers license numbers
    • Business identification numbers
    • Types and amounts of transactions
  2. Inventory HOW you store your data.
    • Paper invoices
    • Paper mailing lists
    • Paper customer files
    • Paper order requests
    • Email
    • Databases
    • Spreadsheets
    • Contracts
    • Business plans
    • Financial reports
  3. Inventory WHERE you store your data for each type and format of customer information.

    Physical storage sites

    • Desk drawers
    • Filing cabinets
    • Mail room
    • Home offices

    Electronic storage sites

    • Desktop computers
    • Laptop computers
    • Servers
    • Smartphones
    • Tablets
    • USB/thumb drives
    • CDs, DVDs
    • Online hosts/cloud providers
  4. Inventory HOW DATA IS MOVED and WHO HAS ACCESS to it.

    Take into consideration your type of business and the desktop and mobile tools your employees use to do their jobs. This is an important part of the inventory process, as it will help you begin to identify the potential ways that sensitive data could be inadvertently disclosed. If you think you need outside help to identify potential leak points, consider consulting with an IT security expert and/or the bank or processor that provides your merchant account services.

    Data Access & Flow Checklist
      Connected or Networked? Who has Access? Does it Leave the Office? Is it Accessible Off-site? Does it Provide Internet/Email Access?
    Physical storage sites
    • Desk drawers
    • Filing cabinets
    • Mail room
    • Home offices
    Electronic storage sites
    • Desktop computers
    • Laptop computers
    • Servers
    • Smartphones
    • Tablets
    • USB/thumb drives
    • CDs, DVDs
    • Online hosts/cloud providers
    Control/Protection Tools Checklist
      No If Yes, How?
      • All machines that have important data or are connected to a network are password protected?
      • All machines that have important data can only be accessed by employees who have a business need to access the data?
      • All machines that have important data or are connected to a network reside behind a corporate firewall?  The firewall software must be configured to receive regular security updates.
      • Computer operating systems have all current updates and patches on all devices?
      • Antivirus software is fully up-to-date on all machines?  Scans should be run on a regular basis—at least once a week.
      • Data encryption in place on all devices that store sensitive information?
      • Electronic data is automatically backed up and can be restored in the event of human error, system failure or natural disaster?
      • You and your employees know how to recognize — and avoid — phishing emails that may enter via business or personal email accounts?
      • Controls are in place for third parties, such as consultants and independent sales representatives, requiring them to safeguard sensitive data?
      • Malware protections for what may try to enter via:
        • Business email accounts?
        • The Internet (i.e., web browsers, web-based email)?
      • Portable storage devices (e.g., USB sticks, iPods) cannot be connected to endpoint machines and download sensitive data without authorization?
  6. Evaluate COSTS versus BENEFITS of different security methods. Brainstorm different types of security procedures and think about whether they make sense for the type of information you maintain, the format in which it is maintained, the likelihood that someone might try to obtain the information, and the harm that would result if the information was improperly obtained.
  7. Write it down. Type up the checklists you’ve just created, the security measures you are taking, and an explanation on why these security measures make sense.

    Congratulations — you've just created the foundation of your written information security policy!

Minimum Security Checklist for Small Businesses

Minimize what you save & store

  • Don't collect or retain information you don't absolutely need.
  • Destroy information when it is no longer needed...and destroy it responsibly.

Use effective passwords

  • Never use the default password provided by another company or service provider.
  • Use "strong" passwords that are unique to each user. Strong passwords include some combination of numbers, letters, and symbols. Never use obvious passwords such as your name, your business name, any family member's name, "12345," "ABCDE," "password" or your user name.
  • Change passwords frequently — every 45-60 days.

Block potential intruders

  • Restrict computer use to business-only purposes. Malware and viruses can sneak onto business machines when employees use them to visit social networking and other personal websites.
  • Protect your IT systems from viruses and spyware by using up-to-date antivirus protection and firewalls. Most operating systems and antivirus programs contain an automatic update feature that updates the software as new viruses and spyware become known.
  • Antivirus may not be enough. Consider supplementing your antivirus protection and firewalls with other specialized protection tools, such as intrusion prevention and anti-spam technologies. Run full scans for virus and spam detection at least once a week.

Back-up and recover information

  • Reduce business downtime from simple human error, hardware malfunctions or disasters. Put protections in place that will ensure ready access to data and easy data recovery should any of these occur.
  • Store backups or copies of your backups in a secure location that is physically separate from your operational systems.

Restrict access

  • Limit the number of sites/locations where information is stored.
  • Keep paper records in a locked cabinet, or in a room that stays locked when not in use.
  • Limit access to data to only those employees or outside providers that need the information to do their job.
  • Encrypt sensitive electronic information in every location it is stored.
    • Most standard software packages, including Microsoft Office, come with basic encryption software already downloaded.
    • If your business electronically processes a great deal of sensitive information, invest in higher-level security software to provide advanced encryption software for desktops, laptops, and removable storage devices.
  • Do not store sensitive information on portable storage devices (e.g., USB drives, CDs, laptops, smartphones, tablets, etc.) as these are frequently lost or stolen. If this practice is unavoidable, make sure the devices are secured and the information is encrypted.

Use Caution when sharing

  • Transmit data over the Internet using secure connections such as SSL technology. Several companies offer relatively inexpensive web-based sites, known as FTPS sites, which can transfer data with a secure connection.
  • Do not transmit sensitive information by regular email unless it is encrypted.
  • Take precautions when mailing records. Use a security envelope, require the recipient to sign for the package, and ask the delivery service to track the package until it is delivered.


35% of data breaches involve a contractor or someone inside the organization.

Source: 2013 Ponemon Institute Cost of Data Breach Study