|Data Security: How can I protect my paper records? |
On March 1, 2010 Massachusetts passed a new law requiring that all organizations take certain steps to secure the personal information of any Massachusetts customers or employees, or be subject to fines and penalties for non-compliance.
For example, if your company, nonprofit, or volunteer-run organization has individual or corporate customers in Massachusetts who pay you by check, or you have any Massachusetts employees or contractors, then this law applies to you.
As I've written before, there are two basic approaches to complying with this law:
- Doing the minimum specifically required by the law, or
- Doing more than what's required, within reason, especially when it's simpler
How could doing more
be simpler? For example, you may determine that out of your 100 clients, you handle personal information for 10 of them. The minimum
approach would be to move the paper records for those 10 clients into a new locked file cabinet, leaving the records for your other 90 clients in your old (unlocked) file cabinet. However, the simpler
approach would be to put all
of your clients' records into one
locked file cabinet, which is more
than required by law but probably less overall work for you.Getting started: What sensitive paper records do you handle?
What access to records do you have?
- Get familiar with the state's definition of "personal information" (see "Data Security: The new Massachusetts law you can't ignore" at http://kadansky.com/files/newsletters/2010/2010_03_17.html).
- Identify the particular types of customer personal information your organization handles, no matter how briefly, including customer checks or credit card information. For example, how are checks received from customers? Where are they kept before they're deposited? Do you make copies of them? Who deposits them?
- Identify any personal information your organization handles regarding any employees or contractors. For example, how are your payroll and 1099 records stored? Who has access?
- As part of this process you could also secure your own business records. Where does your organization store its own sensitive records, including your checkbook, bank and credit card statements, income and expense records, tax records, incorporation papers, etc.?
Are you currently handling those sensitive paper records in a secure way?
- Identify any information you handle that could lead to personal information. For example, customer passwords (which give access to their email accounts, voice mail systems, computer log-ins, bank accounts, credit card accounts, or retirement accounts) all lead to information which in turn may enable someone to get access to your customers' personal information, and even direct access to their money.
- How do you secure access to personal information on your premises? For example, the keys to your locked cabinets and offices, alarm codes, keyless remotes, and lock combinations should all be stored securely.
- Similarly, any spare keys to customers' or employees' homes or offices that you may handle, along with their alarm codes, keyless remotes, and lock combinations should also be secured.
Once you've identified what
sensitive information you're handling, the next step is to examine how
you're handling it, from the perspective of security. Ask yourself:
Are there any sensitive paper records you could get rid of, reducing your exposure?
- Are you taking reasonable measures to protect that information from being seen by unauthorized people inside your organization?
- Is it also secure from being seen or stolen by people outside your organization?
- Does sensitive information arrive by mail or fax? Is your mailbox or fax machine out in the open for anyone to see? Could an unauthorized person see or take your payroll reports, paychecks, or confidential mail from customers?
- Do you or your employees leave confidential information on their desks or in unlocked rooms or cabinets? Does such information get taken home at night?
- How does obsolete sensitive information get archived or disposed of?
Decide whether any of the information you're handling is actually important for your organization to operate. Getting rid of any unnecessary customer information (and, if possible, no longer collecting it going forward) eliminates the risk of that information being stolen.
For example, if you're in the habit of photocopying the checks that customers give you in payment, once those checks have cleared you could shred those copies instead of keeping them long-term.What would it take to make those sensitive paper records secure?
Now that you've identified your security risks, what reasonable steps can you take to minimize or eliminate them? For example:
- Lock up your mailboxes, file cabinets, desks, or private offices, and only give access to appropriate people.
- Move your fax machine out of a public area into a private, locked office.
- Adopt a strict, formal, written policy on how your organization handles sensitive information.
- Train your employees, contractors, and vendors on your policies.
- Require your vendors to secure any sensitive customer or employee records you need to share with them.
Involve your employees, contractors, and vendors in this process of keeping this information secure. They probably have many great ideas to contribute.Changes I've made in my business
In my client records, I keep track of personal information for some of my clients at their request. I decided that securing all
of my clients' information (beyond what the law requires) was simpler and easier than doing the minimum. Towards that end, here's what I've done so far:
Where to go from here
- Since the file cabinet I was using to store my active client records was almost full, I bought a second file cabinet and moved the rest of my paper records into it, including my inactive clients and my own business records.
- Since neither file cabinet had a built-in lock, I hired a handyman to install "lock bars" (also called "swing-away file cabinet locking bars") on each cabinet. These are hinged vertical metal bars that, when swung shut and locked with an external lock, prevent the drawers from opening.
- I didn't want to keep track of any keys, so instead of regular padlocks I bought "set-your-own-combination" locks (also called "resettable combination padlocks"), and added the combinations to my password chart.
- I've changed how I handle paper records with increased security in mind. When I leave my office I now lock all business-related papers in my file cabinets instead of leaving them on my desk, including client projects, not-yet-deposited checks, and my "paper to be shredded" pile.
- Review the sensitive customer and employee paper records that your organization handles, and find reasonable ways to secure them from being stolen.
- Set up locked storage for sensitive paper records (desks, file cabinets, offices, etc.).
- Buy a good-quality cross-cut paper shredder (not one that makes long strips, nor a cheap one that balances on top of a trash can), or hire a trustworthy paper shredding service.
- If you find "set-your-own-combination" locks appealing (also known as "resettable combination locks"), I've seen them at stores like Home Depot, including dial combination locks ("right 24, left 17, right 5") along with 3- and 4-digit brass locks, all made by Master Lock.
If you know someone who might find this helpful, please feel free to forward it.
If you have any comments about this article, send me a reply!
If you have a topic that you'd like me to write about, I'd love to hear about it!
How to contact me:
phone: (617) 484-6657
On a regular basis I write about real issues faced by typical computer users. To subscribe to this newsletter, please send an email to firstname.lastname@example.org
and I'll add you to the list, or visit http://www.kadansky.com/newsletter
Did you miss a previous issue? You can find it in my newsletter archive: http://www.kadansky.com/newsletter
Your privacy is important to me. I do not share my newsletter mailing list with anyone else, nor do I rent it out.
Copyright (C) 2010 Kadansky Consulting, Inc. All rights reserved.
I love helping people learn how to use their computers better! Like a "computer driving instructor," I work 1-on-1 with small business owners and individuals to help them find a more productive and successful relationship with their computers and other high-tech gadgets.