■ Inventory all computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers and other equipment to find out where your company stores sensitive data. Inventory the information you have by type and location. While your file cabinets and computer systems are a start, keep in mind that your business receives personal information in a number of ways – through websites, from con- tractors and more. What about information saved on laptops, employees’ home computers, flash drives, digital copiers and mobile devices?

■ Track personal information through your business by talking with your sales department, information technology staff, human resources office, accounting personnel and outside service providers. Get a complete picture of:

3 Who sends sensitive personal information to your business. Do you get it from customers? Credit card companies? Banks or other financial institutions? Credit bureaus? Job applicants?

3 How your business receives personal information. Does it come to your business through a web- site? By email? Through the mail? Is it transmitted through cash registers in stores?

3 The type of information you collect at each entry point. Do you get credit card information online? Does your accounting department keep information about customer checking accounts?

3 Where you keep the information you collect at each entry point. Is it in a central computer data- base? On individual laptops? On a cloud computing service? On employee smartphones, tablets or other mobile devices? On disks or tapes? In file cabinets? Do employees have files at home?

3 Who has – or could have – access to the information. Which of your employees has permission to access the information? Do they need access? Could anyone else get a hold of it? What about vendors who supply and update software you use to process credit card transactions?


If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. In fact, don’t even collect it. If you have a legitimate business need for the information, keep it only as long as it’s necessary.

■ Use Social Security numbers only for required and lawful purposes, like reporting employee taxes. ■ Don’t keep customer credit card information unless you have a business need for it.

■ Scale down access to data. Each employee should have access only to those resources needed to do their particular job.

If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify what information must be kept, how to secure it, how long to keep it and how to dispose of it securely when it’s no longer needed.

24 | The Retailer Magazine | Mar/Apr

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36