With all of the recent high-profile privacy breaches (e.g., ChoicePoint, etc.), many pundits are speculating that identity theft may give rise to a wave of lawsuits against companies that fail to properly handle or secure personally identifiable information. Corporate Counsel magazine has an excellent article on the topic that is a must read if your company collects, stores or otherwise utilizes PII. The article contains a number of tips including the following:
“• Only hold personal data you need.
Nonessential data can be a liability rather than an asset. Do you
really need customers’ Social Security numbers? Do you have to store
their credit card numbers forever? Avoid gathering nonessential
personal data, archive it after use rather than storing it in readily
accessible customer master files, and discard or archive data for
• Keep personal data secure. Store data securely,
preferably in encrypted form. Avoid storing personal data on laptops,
PDAs and other mobile devices. Limit access to only those who need it.
Have a full audit trail of who accesses each record. Restrict
large-scale downloads and monitor employees for unusual access volume
or timing. Ensure good physical as well as information systems security
over personal data. Consider the security aspects of how you transmit
personal data to customers and employees. Sending thousands of letters
or e-mails with such data is asking for trouble, as they may be
• Do what you say you’ll do. Only promise employees
and customers a level of personal data security that you can deliver.
Whatever you promise, ensure you adhere to it.
• Make security a priority with your employees.
Background checks are essential on all employees who will have access
to personal information. This will not guarantee that you will be
protected from employee theft — studies show that employees who commit
white-collar crime tend to be first-time offenders — but it will help
protect you from predatory employees.”