· 8 min read
When collecting personally identifiable information (PII) from customers, businesses are like busy bees gathering nectar to make honey. But if you own a business, ask yourself: Do we really need this information? If you do, you have an ethical and legal obligation to help ensure the data is well protected.
The U.S. General Services Administration defines PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.”
PII might be one of those acronyms you may have heard tossed around casually. If so, consider this: There’s a new, concerted effort to protect personally identifiable information within almost every government department at the federal level.
Why? Due to the rise of data hacks, ransomware and stolen identities have become a regular part of the news cycle. According to a recent Pew Research Center study, 64% of Americans surveyed have had their personal information exposed through a data breach.
The study also found that 41% of respondents had experienced fraudulent credit card charges; 35% had valuable information compromised, like a bank account number; and 14% indicated that an unauthorized line of credit was opened in their name. These numbers are on the rise and reflect a serious, ongoing situation.
What does all this mean for business owners? If you run and manage a business, you have an ethical and legal responsibility to protect customers who have trusted you with sensitive information, such as Social Security numbers, bank account numbers, mobile phone numbers and email addresses.
The Bureau of Consumer Protection of the U.S. Federal Trade Commission recommends five basic steps that all businesses, large and small, should take to protect the PII of their customers. It’s a simple, practical approach that doesn’t require buying new software or expensive devices.
Let’s focus on step 2: Scale down and keep only the customer PII your business needs. To make the process manageable, break it down into two parts. The first part is properly deleting all the PII you have stored in electronic and printed company files, which are no longer needed.
The second part is to thoroughly understand the process used to gather PII and delete sensitive personal data that is no longer required. The less PII you collect, the less your business has to protect, and the less you need to delete later.
Start with customer credit card information. Does your business need to keep this data? Don’t store account numbers and expiration dates in plain text. Keeping unnecessary sensitive data raises the risk that it might be used to commit fraud or identity theft.
Next, consider Social Security numbers. Even if your business uses them to identify customers or because it has been standard practice in the past, these are no longer valid reasons.
Many companies use mobile apps to conduct business and communicate with new customers. If your business is developing a mobile app, ask yourself: How can we collect only essential customer PII? Now that becomes the scope of information you need to protect.
To help ensure that all your employees understand and follow company rules, document and then train employees on security awareness and records retention. Describe what information must be retained, how it will be secured, how long the data will be stored and how it will be disposed of securely when no longer needed.
Remember that a critical part of being a business owner is training your staff to recognize the importance of effective PII protection. Employees must follow the guidelines described in the company’s written policy. The benefits of a mindful PII approach extend to your customers, your business and everyone within the company.