Better Business Bureau®
Security & Privacy — Made SimplerTM
M a n a g e a b l e G u i d e l i n e s t o H e l p Y o u P r o t e c t Y o u r C u s t o m e r s ’ S e c u r i t y & P r i v a c y F r o m I d e n t i t y T h e f t & F r a u d
Security and privacy expertise contributed by Dr. Alan F. Westin and Dr. Lance J. Hoffman Published March 2006
©P&AB, 2006. All rights reserved. Security & Privacy — Made SimplerTM
User’s Guide o matter what type of business you are • Managing employees as they interact with in, you probably collect, store and customers and their personal data. N share information about your customers. Whether it is providing a necessary • Credit card/debit card security—both during service, completing a financial transaction or and after the actual transaction. creating a mailing list, customer data has become a key currency of today's information- • Taking advantage of the latest technologies based economy. without compromising data security.
As a business owner, you make important • Conducting international transactions strategic decisions that affect your bottom line. securely. Each day, how you manage the security and pri- vacy of the data you collect has become a core Security and Privacy — Made SimplerTM part of those strategic business decisions, advises you on how to incorporate basic because it can influence the success or failure of security and privacy practices into your every- your business. day business operations, offering you options, Data security and privacy management may tips and advice that are right-sized for smaller appear complex and overwhelming, but you businesses and will help you get started. really don't need to become a privacy and security expert to manage it. All you need to do It is not intended to provide specific legal is to acquire the basic understanding of the advice. The information is crafted—but not issues and the business tools that will protect guaranteed—to be accurate, complete and your customers…and your business. up-to-date at the time of publication. Some of the information may not apply in your state or your particular line of business. Therefore, it is Security and Privacy — Made SimplerTM is wise to consult an attorney familiar with the law your Guide to getting your arms around many of in your jurisdiction and with your industry. today's data security and privacy challenges that affect small businesses, including:
Security and Privacy — Made SimplerTM was developed through a partnership between the • Recognizing attempts at theft and fraud. Better Business Bureau, a leader in promoting trust between businesses and the customers • Understanding the importance of offline and they serve, and Privacy & American Business, a online security and privacy practices. leader in consumer and employee privacy and data protection issues and education. • Developing a security and privacy policy, training your employees to comply with it, This Guide is made possible through the support and communicating it to your customers. of corporate sponsors—industry leaders who are committed to the success of their small business • Handling, managing and protecting sensitive customers. customer information. 2
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
Better Business Bureau®
Security is a complex issue. You can manage it. This Guide will help.
Click here for more 1. Customer Data Security & Privacy – A Key To Your Success ...... 4 security and privacy tools and resources for 2. Security Challenges Facing Small Businesses ...... 5 small business. www.bbb.org/ 3. Developing Your Own Data Security & Privacy Plans ...... 5 securityandprivacy 4. Creating & Communicating Your Security & Privacy Policies ...... 6 85% of Americans are worried about 5. Spotting Cyber Criminals ...... 7 becoming victims of identity theft. 6. Fighting Identity Theft ...... 8
58% of Consumers say if they were confident a 7. Guidelines For Good Employee Practices ...... 10 business followed its security and privacy 8. Collecting, Protecting & Disposing Of Customer Data ...... 12 policies, they would be likely to recommend 9. Securing Data In Your Office & Online ...... 13 that business to family and friends 10. Internet Security Fundamentals ...... 15 When your customers know you treat their personal information with the care it 11. Payment Card Security Requirements ...... 17 deserves, they will become more loyal and active customers. 12. If You Have Data Lost Or Stolen ...... 19
13. Managing Official Requests For Your Data ...... 20
14. If You Do Business Globally ...... 20
15. Additional Resources ...... 22
16. Customized Insights from eBay ...... 23 Security & Privacy — Made SimplerTM
1. Customer Data Security & • Many small businesses in the healthcare field Privacy—A Key To must follow the privacy requirements of the Your Success federal Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Customers Care – You Should, too and its data security requirements. When your customers know that you treat their personal information with • Small financial businesses must comply with W care and apply good security and rules established by the federal Gramm- privacy practices, their trust and confidence in Leach-Bliley (GLB) Privacy Rules and your business will grow. Safeguard Rules and the federal banking agency guidance under GLB. Companies that You’re Responsible For Customer Data need to comply with GLB include those that Businesses of all sizes—not just the big corpo- might not necessarily think of themselves as rations—are held responsible for complying "financial," such as automobile dealers, tax with federal and state customer data security planners, and some travel agents. and privacy laws. Here is a sample of how existing privacy laws may affect your small • Currently, twenty-three states have laws on business: reporting data breaches (outlined on page 19 of this Guide), with potential penalties for Security & Privacy Drive Consumer security lapses that apply to both large and Purchasing Decisions small businesses. As a business owner, it is your responsibility to • 85% of Americans are worried about becom- ing victims of identity theft. stay current on privacy and security laws affect- ing your business…and your customers. • 64% of consumers say they had decided not to buy a company’s product or service because they did not know how the company would use their personal information. An Ounce of Prevention … Establish good security and privacy practices • 58% of consumers say if they were confident a business followed their declared security & now. The alternative is decidedly distasteful. If privacy policies, they would recommend that you have a data breach resulting from weak business to family & friends. security practices, you and your business can Source: Privacy & American Business. face lawsuits from federal or state agencies or your customers. The Federal Trade Commission Here is a snapshot of existing federal privacy (FTC) recently sued 12 companies it accused of laws with which your small business might need having inadequate data security practices in to comply: violation of federal law. Lawsuits stemming from inadequate security practices can erode All small businesses must comply with the • business equity, consumer trust and, ultimately, federal and state Fair Credit Reporting Act your bottom line. Even if you don't face legal (FCRA) when seeking to obtain consumer action, your good reputation could be signifi- reports, such as credit reports and employ- cantly compromised. ment reports, about potential customers and employees.
4
Proud supporter of Security and Privacy Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
2. Security Challenges Facing Security & Privacy Challenges Small Businesses Facing Small Business Firewalls Are Not Enough • Customer and business ID theft. n today's tech-heavy business world, you • Data loss and theft. might think that the right combination of • Noncompliance with federal and state I hardware and software will prevent data data protection laws. security and privacy exposures. But technology • Employee fraud and theft. is just one piece of the security and privacy equation. Effective policies, along with proper • Loss of trust ... and customers. employee training and business-wide implemen- • Costly lawsuits stemming from sloppy tation, are the other parts. security practices. Suppose you've equipped your computer with • Computer and hardware damage from the latest network security software—firewalls, viruses. encryption—and you think you've deployed strong security tools. One day a "customer" calls your business to ask what credit card you 3. Developing Your Own Data have on file for his "account." He gives his Security & Privacy Plans "name" and "address" to an employee who then looks up the "customer's" information on your Find Your Weak Spots computer. Your employee reads the credit card Take a few moments with a blank piece of paper number to the caller. and a pen, or at your keyboard. List all the But the caller is not a "customer." He is a crim- different ways your business collects, stores and inal who found the name and address of one of uses personally identifiable customer and your customers in a trash bin. This happens. To business information. Now list who handles or prevent it, you need a data security plan that has access to the information—employees, includes simple steps, such as properly verify- relatives, customers, service providers or visi- ing a caller's identity, and employee training. tors. Personal information may include names, Software alone can't prevent employee error. addresses, account numbers, Social Security Employee training can. numbers, credit/debit card numbers and phone numbers, as well as account patterns and Modern technologies, such as e-mail, e-com- transaction records. merce, and cell phones, have given us wonderful new tools to do business more effectively and Anyone who appears on your list is a data efficiently. They have also created new layers of handler and should play a significant role in security that businesses need to secure to pro- protecting sensitive information. They need to tect their customers' information. If you use be properly trained to follow your security and these new tools, you must also take reasonable privacy policies and practices. steps to secure them. You may want to involve managers or employees from each business area in this
5
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
exercise, to be sure that you are not overlooking 4. Creating & Communicating any potential security weak spots. Making your Your Security & Privacy employees a part of the security and privacy Policies planning process will make them feel like valuable contributors to the team, and will also Once you identify your security needs, you can make it easier for them to remember your begin to write a security and privacy policy for policies and follow them on the job. your comp any. Your security and privacy policy tells your customers how you will treat One Size Does Not Fit All their personal information—how you will All businesses are not alike. Review your collect it, use it, and keep it secure. It should security and privacy issues in light of your also give your customers the ability to commu- particular business and its operations, identify nicate to you if they wish to receive ("opt-in") weaknesses, and take stock of your current abil- or not receive ("opt-out"), "subscribe" or ity to address them. "unsubscribe" information from you and how they wish to receive marketing communications You may discover areas where you need input (e-mail, US postal mail, etc.). Smart companies from a lawyer or technology consultant. It is offer meaningful privacy choices, and important to be fully informed about your effectively carry them out. Those that don't, business' security risks so you can make the risk losing their customers. most appropriate, reliable and cost-efficient choices for your business. Resources to Help You Write a Policy • The Privacy Planner from BBBOnLine can help you generate a simple, but solid online Security & Privacy Reality Check privacy policy for your business • Do you transact business on the Internet? http://www.privacyplanner.com . • Do you collect names, addresses, phone • The Direct Marketing Association (DMA) numbers, e-mail addresses or Social offers a small business-friendly online Security numbers or other personal privacy policy generator information about your customers or http://www.the-dma.org/privacy/ employees? privacypolicygenerator.shtml. • Do you accept credit or debit cards? How to Communicate Your Policies to • Do you share customer information with Your Customers other companies? Once you have a written policy that accurately • Do you engage in direct mail marketing describes your intended actions with customer or telemarketing? data, it is wise to communicate these policies to • Are you storing customer information for your customers. any period of time? • Post it on a prominent sign in your store or office. If you answered “yes” to any of these questions, your small busi- • Give customers a copy of it when they ness is in serious need of a data complete a transaction with you. security and privacy plan. 6 • Post it on the homepage of your web site.
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
• If your customers have agreed to receive a wide range of disruptive consequences e-mail notices from you, tell them about on a computer or network, including the your security and privacy notice in an deletion or corruption of files. New viruses e-mail, and let them know where they can are introduced to the Internet every day. find the full notice. • Spyware: software that secretly collects • Mail it to your customers as a separate information from a computer, such as what promotional piece. Internet sites are visited and what key- Posting a Security & Privacy Policy strokes (including passwords and Provides a Competitive Advantage credit/debit card numbers) are entered. Spyware transmits that information to a Having and following a security and privacy third party for a variety of uses, ranging policy will: from presenting tailored advertising or • Increase the trust and confidence your general spam to credit/debit card fraud and customers have in your business. When they ID theft. Spyware is often installed on your know that you plan to use their information computer as part of a downloaded applica- carefully and keep it secure, they will be tion or via a downloaded e-mail attachment. more likely to share it with you. • Phishing: uses fake e-mails and web sites • Help distinguish your business from your that closely replicate their authentic coun- competition. terparts to trick recipients into "verifying" their personal information. Prominent Security & Privacy Policies Build Businesses • Pharming: redirects an individual's web site • 89% of consumers felt more confident in request to a fraudulent site that closely giving personal information to a business replicates its authentic counterpart. that had a detailed but readable privacy policy. • Keyloggers, Bots, Trojans and more: appli- • 58% of consumers said that if they were cations that may appear to be benign or even confident a business followed the privacy helpful, but are actually destructive to files policies it presented, the consumer would be on your computer. These introduce viruses likely to recommend the business to family and friends. or malicious code onto your computer that can be programmed to execute any number Source: Privacy & American Business Study of disastrous actions, and send sensitive information to a third party.
5. Spotting Cyber Criminals Consider installing a web browser tool bar to The number and sophistication of online fraud help protect you from known phishing web attacks is increasing. Here are some ways crim- sites. Earthlink offers such a free tool, called inals attempt to get sensitive information from ScamBlocker, at: computers and individuals: http://www.earthlink.net/software/free/toolbar.
• Viruses: man-made programs or pieces of eBay also offers an anti-phishing and account code that are loaded onto your computer protection toolbar that alerts users when they're without your knowledge. Viruses result in on a potentially fake eBay or PayPal site 7 http://pages.ebay.com/ebay_toolbar/.
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
Ways to Avoid Being a Victim of How Identity Thieves Strike Online Fraud Low-Tech Methods • Always verify whom you are doing business with before revealing personal Dumpster Diving: thieves steal mail or papers information. with personal information left in the trash of your business or someone's home and not • Ensure your browser is current with all properly destroyed or shredded. security patches installed. Mailbox Theft: thieves steal mail left in your • Use anti-virus and anti-spyware software, business' unsecured mailbox or at someone's and keep it updated. home.
Employee Theft: thieves within your business • Be suspicious of any e-mail with "urgent" requests to validate or verify personal steal the personal information of your information. customers or of fellow employees.
General Theft: thieves steal an individual's • Don't download anything that comes from a source you don't know. This includes wallet, check, credit/debit card with e-mail graphics, screen savers, free soft- personal information, desk top and lap top ware, etc. computers—crimes often carried out by friends, relatives, in-home workers or others • Don't fill out any forms that come to you known by the victim. in an e-mail and request personal informa- tion, unless you definitely know and trust the source. High-Tech Methods Computer Hacking: hackers get unauthorized • Don't allow your children to use your access to your business computer or comput- business computers. Children are not aware of online threats, and can down- er network and steal customer information load items without considering what from your database. might be attached to them. Phishing: thieves send fraudulent e-mails that appear to be from a legitimate company, and create a fake web site that looks like the legitimate company site. They do this to trick 6. Fighting Identity Theft your customers into revealing their personal How Identity Theft Happens information. ID and data thieves have an arsenal of high-tech Pretexting: thieves make phone calls to your and low-tech ways to steal personal informa- business and others in a "victim's" name, in tion. Once they have your information, they will an attempt to find out more information be able to assume—and misuse—the identity of about the "victim." Or, they will call a your customers. They may even try to assume consumer claiming to be from a legitimate your identity. company, and attempt to obtain personal information.
8
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
addresses, and telephone numbers. They also Real Data Theft Examples look for this information in your product orders, • An old laptop, with a company's customer account statements and mail. records still on it, was sold via a news- paper ad. The records were still openly How They Use This Information readable and could have been used to Data thieves will open fraudulent credit card commit fraud by the purchaser, who accounts in your customers' names, make alerted the seller about what he'd found. purchases without their knowledge, get a loan in your customers' name, or open a fraudulent bank • Two computers were stolen from a medical practice's unlocked computer room. They account in your customers' name and write contained easily accessible billing records checks on that account. In addition, they can and unencrypted sensitive personal infor- open fraudulent accounts with your business and mation in the form of billing codes. make fraudulent charges to your customers' accounts…with you. • A courier service driver, carrying a pack- age of customer data, left his unlocked vehicle running while he made another Small Businesses Can Be ID Theft delivery. While he was away from his Victims, Too vehicle, the package was stolen. Business identity theft occurs when someone steals information about a business to commit • Perfectly readable, discarded printouts of personal records were thrown into a fraud. Thieves may specifically target small and dumpster. They were later put to practi- medium sized businesses because their data cal use by the finder to wrap fish at an security programs may not be as strong as those outdoor market. of larger companies.
• In Florida, print-outs of thousands of They want your business credit/debit card medical records were found in various account numbers, your bank account numbers, trash bins across the area. The records your Federal Employer Identification Number, included details of sexually-transmitted and other federal and state governmental diseases, psychological problems, identification numbers. addictions, and even intimate details about a patient's sex life. How They Use This Information • An employee in an accountant's office ID thieves can use your stolen business informa- used client data to file false income tax returns in order to receive tax refunds ... tion to open a credit card account in your busi- until that employee was finally caught. ness' name, make purchases without your knowledge or get a loan in the name of your business. They will open a bank account in the name of your business, write checks on that What ID Thieves Want—Your Customers' account, and take out money from the existing Personal Information accounts of your business. In some cases, ID Criminals are after credit/debit card numbers, thieves may secure enough information that they Social Security numbers, driver's license infor- can actually sell your business or commercial mation and numbers, mailing addresses, e-mail property without your knowledge. 9
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
What You Can Do 7. Guidelines for Good Here is a checklist of things you can do to Employee Practices protect your business from identity theft. Screen Your Employees You will find more details in Chapters 7, 8, 9, and 11. Identity theft can originate in the workplace. Exercising care to hire honest employees is one Physical Security Tips of the best ways to help secure your business To Protect Your Business and reduce the risk of identity theft or fraud to & Your Customers you or your customers.
• Shred or cross-shred papers with person- Past behavior is widely considered to be the ally-identifiable customer or business best predictor of future behavior, though it is data before throwing them away, or use not a perfect tool. Conducting background a document disposal company to destroy spot-checks can assist you in learning and the papers for you. assessing the character pattern of prospective employees (or of your current employees—if • Send and receive business mail from a you did not use a background spot-check before secured mailbox or a post office box. hiring them). The type of background spot-check to use depends on the size and nature • Conduct regular software audits of of your business. If you handle lots of sensitive computers. personal information, especially financial or health information, you might want to consider • Train employees to watch for suspicious a full criminal background check. But if your activity among other employees, business does not handle much customer person- customers, or people coming to your business premises. al information, a credit report can give you a useful snapshot of an applicant.
• Consider telling your customers how Because background spot-checks, themselves, they can spot phishing efforts, and how raise privacy issues, handle this carefully. If they should verify that it's your commu- you see a "red flag" in a background spot-check, nication before releasing any personal confirm the accuracy of the information with the information source before making a hiring decision.
• Verify the identity of a customer before Other factors to consider in this process might discussing or providing any customer include: account information by telephone or e-mail. Then take appropriate steps to provide it in • Whenever you order a background check on a manner that is secure. a prospective or current employee, state and federal laws require that you notify the per- • Secure your physical space with locks son (in writing) that you intend to use a and alarms. consumer report, and obtain their consent to do it. This process is a key element of the • Secure your business, customer and federal Fair Credit Reporting Act (FCRA). employee records in locked cabinets. Most background checks contain a "con- sumer report." If you decide to reject an 10
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
applicant or release a current employee Tips for Creating and Executing a based on something in their consumer Security & Privacy Training Program report, you must tell them that you have done so for this reason. • Make it relevant, personal and timely. • Tell employees why the topic is important to • Many states have their own laws that apply everyone involved. to background checks and consumer credit reports. Discuss with your attorney the • Role play with real-world scenarios that present requirements in your business’ home state or examples of privacy and security choices your in other states in which your business makes employees could face—and then explain how they should handle them. hiring decisions. • Have your employees sign a nondisclosure agreement, in which they will agree to keep Control Employee Access to your customer information confidential. Sensitive Data • Include your managers.
• Each of your employees should have access • Update employees on new developments in this only to the sensitive information necessary area as they occur. to do their specific jobs. When you control • Train employees to use computer security tools. employees' access to information, you sig- • Advise them on the dangers of purchasing or nificantly reduce the risk of data exposure. downloading pirated or counterfeit software. • Train them to regularly update all security soft- • You can limit employee access to customer ware and browsers. information by using a variety of physical and technological security measures, rang- • Train employees to spot phishing attempts, and ing from padlocks to passwords. For specif- not to respond to them. Keep them updated on ic suggestions, see Chapter 9, Securing new phishing ploys. For more information on Data in Your Office and Online. phishing visit http://pages.ebay.com/ education/spooftutorial/index.html or http://office.microsoft.com/en-us/ assistance/HA011400021033.aspx . Train Your Employees • Use specialized training for employees whose job Writing privacy and security policies for your functions require it.. business is not enough. Your employees need training for how to protect the privacy, • Teach your employees how to look for suspicious confidentiality and security of personal activity from other employees, customers, visitors, information. Your training program should strangers or acquaintances on your business address all the issues discussed in your security premises. and privacy policy. • Train all new employees about your information security policies. • Reinforce your employee training at least semi- annually to ensure that employees regularly put their training into practice. 11
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
8. Collecting, Protecting & don't need or shouldn't have to do their job. One Disposing of Customer Data of the larger data breaches in 2006 stemmed from employee access to sensitive customer data Collecting that was inconsistent with their job description. The type of information you collect from your For tips on protecting against both high and customers depends on your individual business, low-tech predators, see Chapter 9, Securing and can range from simply a customer's name, Data in Your Office & Online. address, telephone number, and e-mail address to significantly more personal information, such Disposing as credit/debit card numbers, account numbers, Disposing of personal data also is an access transaction summaries, consumer preferences, point for data/identity thieves. Sloppy security consumer credit reports, etc. practices in data disposal can lead to theft. If you collect and store credit card information, The federal government issued a Disposal Rule you need to follow security rules set by the amendment to the Fair Credit Reporting Act major credit card companies. See Chapter 11, (FCRA), called the Fair and Accurate Credit Payment Card Security Requirements for Transactions Act (FACT Act). Both are enforced details www.visa.com/cisp . by the Federal Trade Commission. It mandates If you don't absolutely need a piece of customer that all businesses that manage credit data—no information, don't collect it. Collecting matter their size—must take steps to ensure that customer data you do not need increases your discarded customer personal information is not security and privacy risks. accessible to unauthorized access. For more information on the Disposal Rule, and how it Be particularly careful about collecting and may affect your business visit: storing financial and personally identifiable w w w . f t c . g o v / b p / c o n l i n e / p u b s / a l e r t s / information, including Social Security numbers, disposalalrt.htm. credit and debit card numbers, or driver's license numbers. Check your payment transac- Currently, the law applies only to information tion software systems to determine if it is your business gets from credit reports (or other collecting sensitive data you aren't even aware "consumer reports"). However, it is good of, such as the magnetic stripe of a payment business to follow sound data disposal practices card or the PIN information from a debit card when discarding sensitive customer informa- transaction. If you have customer data you no tion, whether or not the law specifically longer need, discard it—securely. See Disposing requires it. for tips. Disposing of an Old Computer Protecting Before discarding an old computer, permanently You need to guard against both high-tech and erase all customer personal information on the low-tech opportunists. If your business is not hard drive. Deleting files by putting them in the kept physically secure, anyone can walk in and "recycle bin" or "trash" on your computer's steal unprotected customer data from your cabi- desktop is not good enough. These "deleted" nets, drawers, and desks. This has happened. files remain on the computer and can be The same is true about your own employees if accessed using commercial recovery software. 12 they have access to sensitive information they
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
To ensure you properly "clean" an old computer, that ID thieves operate using both high-tech and purchase commercial erasure software, avail- low-tech methods. able from most computer and office supply stores. This will overwrite all the data on the Physical Security drive. You also can remove the hard drive and • Keep customer account records and other physically destroy it, so that it cannot be used personal information in locked cabinets. again. • Don't leave papers or files unattended on desktops. Disposing of Electronic Files (not on a computer) • Never leave a business premise open and completely unattended, even for a short If you are disposing of a computer disk, CD, time. DVD, or other electronic storage tool that con- tains sensitive information, the same rules • Use a locked mailbox or a post office box apply. Don't just delete. Permanently erase the for incoming and outgoing mail. data, using commercial erasure software. Or, • Use security envelopes for bills or other physically destroy the tool so that no one else mail containing personal information. can use it. • Shred anything with customer or employee Disposing of Paper Files personal information before discarding it. Before throwing away any papers containing Computer and Network Security customer information, destroy the papers by • Use SSL technology for your online transac- shredding or cross-shredding, burning or pul- tions. SSL stands for "Secure Sockets verizing them. Layer," a technology that applies encryption —a scrambling of the message—to sensitive If you don't want to do it yourself, hire a waste information traveling on the Internet, such disposal company to shred or pulverize records as credit/debit card numbers. To use SSL, for you. Articulate your requirements for dis- you will need to purchase an SSL Certificate posal when using an outside company, and ask from a Certificate Authority (CA). There are them to provide you with a quarterly report stat- a number of Certificate Authorities you can ing what they've disposed of, and how and when buy SSL from, such as VeriSign disposal was completed. If the company is local, www.verisign.com , Network Solutions you may want to visit their operations site for www.networksolutions.com , Thawte yourself and check their record with the Better www.thawte.com and GeoTrust Business Bureau. www.geotrust.com . For more information on what encryption is and how to use it, visit HowStuffWorks http://computer. howstuffworks.com/encryption.htm . 9. Securing Data in Your Office & Online • Consider encrypting financial, medical and The following guidelines generally apply to otherwise sensitive information on your businesses that use a blend of hard copy and on-site business computers. Your computer electronic methods to conduct their business may already have the ability to encrypt data activity, as most businesses do today. Remember using settings installed on its operating system or networking hardware. Ask your 13
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
network administrator or computer vendor • Continuously update your anti-virus and for assistance. If this is not an option, you anti-spyware software. Updates are can buy encryption software and hardware generally available at the website of the at most computer stores. manufacturer of the anti-virus and anti- spyware software you use. If you don't have • Use passwords and change them frequently. anti-virus and anti-spyware software Don't use a password that someone who installed, contact an IT consultant or visit a knows even a little about you could guess, computer or business supply store that you such as a spouse's or child's name, home trust to find out what products will best fit telephone number, or college you went to. your needs. Never write your password down. The Federal Trade Commission provides • Use file sharing only when you need it. Turn helpful password tips at it off at all other times. You may want to www.onguardonline.gov/stopthinkclick.htm. consult a networking professional for expert security advice if especially sensitive infor- • To the extent possible, don't keep personal mation will be shared over a network. information on the hard drive of computers that connect to the Internet. Use CDs, • If you use wireless networking, turn on the removable memory (flash drive), or floppy security features that come with the wireless disks. Try to keep any disks or removable network products you purchase and test that memory in a secure and locked location. they operate properly. Again, you may want to consult a networking professional before • Use a firewall to protect your computer you share any sensitive information over a network. Firewalls are a system of software, network. See hardware, or both designed to prevent http://www.ftc.gov/bcp/online/pubs/ unauthorized access to a network. A variety online/wireless.htm . of ready-to-use firewall programs are available from popular brands such as • Keep your network servers in a locked McAfee www.mcafee.com , Symantec room. www.symantec.com, and Zone Labs www.zonelabs.com . If your business handles especially sensitive personal • Turn off your computers when not in use. information on the network and needs a higher level of protection, seek an IT • Back up all your data regularly and keep consultant or visit a trustworthy computer backup disks or other back-up materials in store for suggestions. a locked area.
• Continuously update your browsers, operat- • Refer to Chapter 11, Payment Card ing system, and other software to make sure Security Requirements. For more you are using the most secure versions guidance, see www.visa.com/cisp . available. Updates can be found on the websites of the companies that manufacture the browsers, operating system and other software you use.
14
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
Laptop Computer, PDA & Cell Phone Although these features help businesses be more Security efficient, they also create a new layer of data security and privacy to protect. Criminals can • Always keep your laptop, PDA, or cell hack into cell phones and steal stored files, con- phone within sight—especially when you tacts and voicemail. Viruses can significantly are away from your office. disrupt a cell phone, just as they do a computer. This is why it is important to lock your device • Always keep your portable device within and keep it in a secure location when not in use. reach when traveling; stealing laptops at Do not download or accept file downloads from airports and from trains and restaurants has unknown sources. become a popular data theft technique. Limit the amount of data you transmit or store • Limit the amount of any sensitive informa- on a cell phone or PDA. Never store sensitive tion stored on laptops, PDA's, and cell information, such as bank account numbers, phones. If possible, do not store sensitive ATM codes, and credit/debit card information data on portable devices. on cell phones.
Cellular technology changes rapidly, and cell • Password-protect access to the laptop, PDA, and cell phone. Also password-protect phone capabilities and security features vary features such as Internet access, e-mail, significantly between models. Refer to your voicemail, and address books. owner's manual for help to configure the security setting on your phone, or contact your • Turn these devices off when not in use. cellular provider for assistance.
• Do not share portable communication/ organization tools (or their passwords) 10. Internet Security with others. Fundamentals
• If an employee (a salesperson or telecom- If you have an "e-business" or your business muter, for example) needs to take personal regularly executes transactions over the data off premises on a laptop, CD, flash Internet, your security toolkit should include drive or other portable device, you should web site security, e-mail security, and advanced encrypt the data. cyber-security tools.
Web Site Security • Back up all data regularly and keep backup disks or other back-up materials in a locked Customers have come to expect security on your area. business web site. Given this, you must ensure that you securely transmit all data over the Internet during an online purchase from your Special Protections for Cell Phone Users website. Secure Sockets Layer (SSL) is the Today's digital cell phones feature e-mail and industry standard for secure, encrypted data Internet capabilities, address book and calendar transfer over the Internet. SSL technology is functions, and can store recorded memos, voice- built into all major Web browsers (e.g., Explorer mail, pictures, and other data files. and Netscape). Ask your web site designer to 15
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
configure your site to accept SSL transactions, continued and ask for advice on how to get your SSL • As a general rule, do not include certificate. sensitive information in unencrypted SSL is a good starting point, but website securi- e-mail (Social Security Numbers, ty does not end there. Hackers also can steal credit/debit numbers, account numbers, personal address, phone or e-mail stored information directly from computers, information, etc.). even if the information is not being transmitted over the Internet. As a result, go the extra step and consider encrypting any sensitive informa- • When e-mailing messages to a group of tion stored on all your computers. people, put recipient addresses only in the "BCC" header (blind carbon copy)— Refer to Chapter 9, Securing Data in Your not in the "To" or "CC" headers. This is Office & Online for information and links on important even if there is no sensitive SSL and data encryption. content in the body of the e-mail; other- wise you expose the e-mail ID of every- E-mail Security one on your distribution list. E-mail is not secure. Criminals can easily intercept e-mail transmitted over the Internet, and your employees, co-workers, or family • Beware of "phishing." These are e-mails members at home may have the ability to access that mimic the designs of well-known your e-mail without you ever noticing. It's sites and ask you to respond by giving important to engage safeguards when you use personal information. Do not respond in e-mail. any way to these e-mails. If you think the e-mail is genuine, directly contact the real organization and verify the E-mail Security Tips authenticity of the e-mail. Legitimate companies do not ask for personal information in an e-mail. • Use e-mail filtering software to screen e-mail and identify suspect messages.
Cyber-Security Tools - The Basics • Don’t open e-mail attachments or links from anyone you don’t know or trust. Using the right cyber-security tools can help you diminish the risk of data exposure from data handling. • Turn off the “preview” function of your e-mail program. While this allows you Here are the most widely used computer to see the first few lines of the email security tools and a brief explanation of what content, it can be a security risk. they do.
continued • Firewalls: software and hardware that limit external access to your business computers or network.
16
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
• Encryption: software or other technology payment cards. The following rules are espe- that scrambles data to prevent unauthorized cially applicable for your business. viewing. • Do not store the contents of any credit card's magnetic stripe. • Vulnerability Analyzers: software that per- forms checks to determine if a computer • Do not store the CVV or CVV2 (card verifi- network's devices and software are properly cation value), two security features of debit configured, patched, and updated. and credit cards that should never be stored by businesses. The CVV is a secret code • Host/Network-Based Intrusion Detection embedded in the magnetic stripe of payment Systems: software that scans for network- cards that is used to prevent counterfeiting. related suspicious activity. The CVV2 is the three or four number code on the signature panel of most cards or the • Intrusion Prevention Systems: sensors that front of an American Express card. detect network security vulnerabilities.
• Store only the account information you need • File Integrity Systems: systems that provide to complete and service your transaction. intrusion detection and verify that files have Under no circumstances should the CVV, not been tampered with. CVV2 or PIN be stored.
• Network Scanners: tools that identify • If you store the basic 16-digit credit or debit network security holes that could give intruders access to your network. card account number, have a plan to destroy it when it's no longer needed. You may want to establish a policy that specifies the length These tools are available commercially at most of time your business holds on to credit card computer or business supply stores. Ask your information. computer vendor, a sales specialist at a trusted computer store, your network administrator, or • Ensure your business partners and vendors an IT consultant for the specific brand and prod- follow the payment card security require- uct recommendations that will best match your ments. A complete list of PCI compliant system and your business needs. service providers is available at www.visa.com/cisp .
11. Payment Card Security • Additionally, be aware of the unintended Requirements consequences of any software you are using. Merchants are encouraged to use point-of- Security Rules Your Business Must sale payment software that has been validat- Follow ed compliant with the Payment Application The major credit card associations (Visa, Best Practices (PABP). A list of software MasterCard, American Express, and Discover) providers/software applications that have have established security requirements for both been validated by PABP is available at credit card processors and merchants accepting www.visa.com/cisp . 17
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
• Your business may have to comply with • Restrict physical access to hard-copy security audits according to the PCI require- payment card data. ments. You may be asked for a system's scan or self-assessment. Contact the bank • Your business may have to comply with · or the company that manages your payment Track card data access on the company's card processing for details or log on to computer network. www.visa.com/cisp for more details on the Payment Card Industry Data Security • Test the company's security systems on a Requirements. regular basis.
• Have an information security policy that Security Rules for Processors—Which spells out rules for employees who handle Also Apply to Small Businesses data and reinforce it regularly. In addition to the guidelines listed above, payment card processors and merchants are • For a full listing of these rules, go to required to follow these rules: www.visa.com/cisp. Click "PCI Data Security Standard." • Use firewalls. By following the payment card security • Change passwords and security codes from requirements, you will protect your customers' those supplied originally by the software sensitive data, and put your business at a com- manufacturer, to secure the processor's data petitive advantage with other businesses that are and computer network. not in compliance.
The alternative can be disastrous. If your • Encrypt all payment card information stored business has a security breach and is found not on the processor's computers. in compliance with the payment card security rules, there are severe penalties, including • Encrypt any card data transmitted over the barring your business from accepting payment Internet or other public network. cards.
• Use anti-virus software and keep it updated. Choosing a Payment Card Processing • Keep other software, such as operating Company systems, secure and updated. As a business, you have a choice in processors, and credit/debit card processors can vary in • Provide employee access to data on a need- their performance. If your customers' informa- to-know basis only. tion is lost or stolen from your card processor, you and your business could become the target • Give each company employee who uses a of negative publicity, loss of customer trust, computer a unique ID. fines, and costly lawsuits.
18
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
As you select a processor, verify that they follow all the security rules required by the States with Breach Notification Laws major payment card associations. If a *Arkansas *Louisiana North Dakota credit/debit card processor fails to follow those rules, a major data security breach is possible. California Maine *Ohio In 2005, hackers accessed information on approximately 40 million cardholder accounts *Connecticut Minnesota Pennsylvania from a credit card processor that was found not to be compliant with the credit card security *Delaware *Montana *Rhode requirements. Island *Florida Nevada Tennessee Georgia *New Jersey 12. If You Have Data Lost Texas or Stolen Illinois New York *Washington Consider Notifying Your Customers Indiana *North Currently, twenty-three states (listed here) have Carolina laws that require customer notification in the event personal data is lost, stolen, or inadver- * Requires notification only when there is risk of harm tently disclosed, and these laws may expand to a to consumer victims national level soon. Many states require you to notify your customers of any data breach. Other states require notification when harm to poten- they can investigate the incident. Talk to a tial victims is likely. lawyer to get advice on which law enforcement Even if the law doesn't require it, consider the authorities you should contact. This could advantages of giving notice to your customers include local police, state authorities, or even whose information was compromised. the FBI. The major payment companies also advise that you immediately contact your If you tell your customers about the breach: payment processor and your acquiring bank if • Describe the nature of the incident. you have a credit/debit card security breach. • Tell them what you have done to address the It is also recommended that if you have any kind problem. of customer data breach, you alert the three national consumer reporting agencies: • Tell them what you will do in the future to Equifax w w w . e q u i f a x . c o m , TransUnion further reduce the chance of it happening w w w . t r a n s u n i o n . c o m , and Experian again. www.experian.com . Visit the FTC Web site (w w w . f t c . g o v ) for more information on responding to a data breach. Notify Law Enforcement and Other Authorities Also alert the bank or company that you hire to If a breach occurs, it is important to alert appro- process your payment cards. It's important that priate law enforcement officials immediately so the compromised accounts are watched or 19
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
closed to prevent fraud from occurring on them. You could have liability for the resulting fraud, Responding to Government Agency or so quick notification to the payment card Law Enforcement Requests for Data companies can help. • State your company's policies on respond- Ask your lawyer about this now, so that in the ing to these requests in your security and event something does happen, you are immedi- privacy policy. If your business shares ately prepared and know which law enforcement customer personal information with the agencies to contact. Some local law enforce- government when it is required to do so ment departments have even set up special units by law or valid access request—say so. to investigate such incidents. • Consult with your attorney about your obligations to respond to government Support Your Customers information requests and to ensure that If a breach occurs: you are complying with your privacy policy. • Encourage your customers to monitor their credit reports for signs of identity theft. If • Train your employees. Tell them what to you can afford the expense, consider paying do when they receive a request for for a credit monitoring service for your customer information from law enforce- affected customers for a designated period ment or other government agency. of time (generally 6-12 months).
• Encourage any customer experiencing or suspecting identity theft to notify you, file a police report, and notify the three national consumer reporting agencies, outlined in the 14. If You Do Business Globally section on the previous page. You Could Be Subject to Foreign Data Protection Laws Responding quickly to a data breach may help Over 50 nations have personal data protection you retain your customers. laws that regulate the handling of consumer information by businesses. Most data protection laws apply to all businesses that handle customer information, regardless of size. Even a 13. Managing Official Requests company with no physical presence in another For Your Data country—but which engages in international You Have Both Duties and Rights business-to-consumer e-commerce—is often required to comply with these laws. These data When you receive a request for customer protection laws are found throughout Europe, records from a law enforcement officer or a Canada, South America, Asia, Africa, and the government agency, balance your general incli- Middle East. nation to respond immediately with your responsibility as a trustee of your customers' 20 information.
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
• Ensure that safeguards are in place at desti- What You Need To Know About nation points before transferring consumer Global Commerce information outside of the country.
• Learn about the data protection laws in • Check on whether a country requires countries in which you do business. A businesses to file a notification with the good place to start is with the web sites national data protection authority before of national data protection authorities for each country. Some publish guides to collecting and handling any consumer data. their laws that are customized for small businesses, such as the UK and Australia. Customers Have Rights Under For a list of data protection authorities in International Data Protection Laws countries around the globe visit http://www.dataprotection.ie/docs/ Customer rights under data protection laws European_Functions-Useful_Links/99.htm generally include:
• Consumers in these countries expect • The right to withdraw consent to certain businesses to understand and comply with uses of personal data (generally for direct local data protection laws, no matter what marketing uses). the business size. • The right to obtain information about how personal data is processed. What These Laws Require from Businesses • The right to view their personal information In general, data protection laws: and request that any errors in that informa- tion be corrected. • Provide information to consumers about the collection and processing of their data. • The right to sue a business in court for compensation or damages resulting from • Process consumer data in a fair and lawful harm caused by a breach of the data protec- manner, and only for the purposes communi- tion laws. cated to the consumer.
• Restrict the collection and processing of Law Enforcement certain "sensitive" types of consumer data. Most countries with data protection laws have designated a separate data protection authority • Collect only relevant (and not excessive to supervise and enforce the law. These agencies amounts of) personal data from consumers. generally have the power to receive and investi- gate complaints about businesses from con- • Take reasonable steps to protect consumer sumers, or to initiate their own investigations. data from accidental loss, destruction or Some have the power to impose fines and other unauthorized disclosure. This includes penalties for violations of the law, while others supervising employees and contractors who may only make non-binding determinations touch consumer data on a business' behalf. (which may be enforceable by a court). 21
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
15. Additional Resources • IBM's Small Business Center: a collection Managing security and privacy in your business of resources for small business owners activities doesn't need to be an unduly including white papers, technology www.ibm.com/ expensive or time-consuming activity. Taking solutions and expert Q&A businesscenter/smallbusiness practical steps to protect the sensitive data your . customers entrust to you will produce many dividends in return. Establishing solid data • Visa: Full briefing of payment card industry security and privacy policies and practices will: (PCI) standards for merchants www.visa.com/cisp . • Put your business in compliance with federal and state law. • Business for Social Responsibility: Issue Brief—Consumer and Employee Privacy • Help protect your business and customers www.bsr.org . from data theft and criminal activity, including ID theft. • OnGuard Online: provides practical tips from the federal government and the • Create a bond of respect and trust between technology industry to help you be on your business and your customers. guard against Internet fraud, secure your computer, and protect your personal Customers expect their information to be kept information. Managed by the FTC securely. Consider this your initial Guide to www.onguard online.gov/index.html . security and privacy best practices. However, note that security has new manifestations all the • Small Business Computing.com: an online time, so it's a changing landscape. Here are magazine-style guide by Jupiter Media additional resources to help keep you current. Corporation for small business owners featuring technology articles, reviews, • The Better Business Bureau: Find updates and a message board for small business owners about changes in www.smallbusinesscomputing.com . security and privacy laws as well as new risks they need to manage. • Security Protection - Your Security Toolbox: www.bbb.org/securityandprivacy. a site by Hewlett-Packard with links to a variety of information and tools for small • The Federal Trade Commission: The site of business data protection the nation's consumer protection agency has www.hp.com/sbso/security/toolbox.html. a collection of resources for businesses and consumers www.ftc.gov . The FTC also • Microsoft's Small Business Center: tips, provides a one-stop national resource on ID tutorials, small business forum and product Theft at www.consumer.gov/idtheft . information for small businesses www.microsoft.com/smallbusiness/hub.mspx. • Privacy Manager's Resource Center: a comprehensive resource from BBBOnLine to help businesses promote trust in con- sumer relationships www.bbbonline.org/ 22 UnderstandingPrivacy/PMRC.
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by Security & Privacy — Made SimplerTM
16. Customized Insights from Additional Thoughts to Reinforce & Highlight eBay Do not click on email links that request per- We understand how challenging it can be for sonal information. Do not click on a link business owners to manage their online busi- embedded within any potentially suspicious nesses. It can take a lot of time just to find email, especially if the email requests personal and retain customers, let alone develop an information. Instead, try starting a new Internet effective online security and privacy plan. session with your browser, typing the web Over the past several years, we’ve heard from address of the link into the address bar, and our users just how important effective tools pressing 'Enter' to be sure you are directed to a and education are to achieve this goal. legitimate web site. Sellers using eBay for their online auctions Do not share your account. Don't use your and/or PayPal for their online payments have a payment service account to collect or transfer number of resources available to them on our money for someone else. These types of activi- web sites to help them manage their online ty are often conducted as forms of money laun- risk, including: dering or mail fraud and may result in signifi- 1. Online spoof tutorials: cant criminal penalties. If someone contacts http://pages.ebay.com/education/spoof- you and asks you to transfer money on their tutorial/. A free online tutorial helps you behalf, you should deny the request and contact spot and report fake emails. us immediately.
2. eBay Toolbar with Account Guard: Never share your password. Most legitimate http://pages.ebay.com/ebay_toolbar/ . A web site representatives will never ask you for free download that will indicate when you your password. If you believe someone has are on either eBay or PayPal, and will warn learned your password, please change it imme- you when you are on a potentially fraudu- diately and contact us. lent web site. 3. Security Tips on Preventing Identity Theft: Create a secure password. Choose a pass- www.paypal.com/idprotection. Includes word that uses a combination of letters, num- the five actions you can take to protect bers, and symbols. For example, yourself from identity theft. $coo!place2l!ve or 2Barry5Bonds#1. Avoid choosing obvious words or dates such as a 4. Security Tips and Fraud Prevention: http://www.paypal.com/cgi- nickname or your birth date. bin/webscr?cmd=p/gen/fraud-preven- Finally, should you come across suspicious tion-outside. More tips on web site securi- email that claims to be from eBay or PayPal, ty, password safety, email security and how please report it to us at [email protected] or to use your account wisely. [email protected].
23
Proud supporter of Security and Privacy — Security and Privacy — Made SimplerTM Powered by