Repel Electronic Thieves:
Take proper steps to protect computer data

Protecting electronic data should be a primary concern for all business owners, considering the ever-present threat of computer-based data theft. According to findings from a 2007 survey conducted by AT&T, about one-fourth of small businesses are not concerned about data security. The report also indicates 10 percent of small businesses leave data completely unsecured, 32 percent believe that wireless data doesn't present security concerns and 17 percent take no precautions to guard against wireless security threats.

From a consumer perspective this is a disturbing trend. Business owners have a moral responsibility to reasonably safeguard their customers' sensitive information, such as credit card numbers and other financial data. And according to the Federal Trade Commission, businesses also have a legal obligation to do so.

There are several levels of security that can be implemented to safeguard clients' personal information. The first level of security for any computer connected to the Internet is a hardware firewall.

The second level is antivirus protection, which should be updated on a regular schedule (daily or weekly). Statistically, a computer connected to the Internet experiences an attempted virus attack an average of once every 4.5 minutes.

A third level of protection is anti-spyware and anti-malware. Spyware and malware are the fastest growing security threats to computers today so it is especially important to maintain current spyware and malware protection.

The last line of defense for Internet users is a software firewall, which should be installed on every computer or workstation in a business's network.

Care must be taken with wireless networks, which also are not immune from outside intruders. All wireless security measures have been defeated within two years by malicious hackers or by flaws in encryption measures. When using wireless connections, use the most updated security encryption available and continuously update it.

If the fear of losing customers' personal information is of no concern, the fear of being legally liable if that personal information is stolen and illicitly used should be of concern. The Federal Trade Commission has four key factors in its data handling guidelines that must be followed to avoid being charged with negligence if a customer's personal information is lost or stolen. The FTC expects all consumer-related businesses to:

1. Designate an employee(s) to coordinate and be accountable for the information security program, including a document retention policy.
   
   
2. Identify "internal or external" risks to the security of personal information. The risk assessment must include: (a) employee training and prevention and (b) detection and response to attacks, intrusions or other system failures.
   
   
3. Design and implement reasonable safeguards to control the risks identified in the risk assessment.
   
   
4. Evaluate and adjust the program based on results of testing and ongoing monitoring of the program. Businesses also must make any material changes to the policy based on the company's operations or business arrangements or any other "circumstances" that may have a direct impact on the effectiveness of the security program.

Also, there are several statutes and regulations that govern the document retention policy required by the FTC. Examples include: HIPPA, Financial Services Modernization Act of 1999 (Graham-Leach-Bliley Act), Sarbanes-Oxley Act of 2002, Department of Defense 5015.2, FDA 21 CFR part 11, Fair Labor Standards Act, and more than 20,000 statutes and regulations that require the retention of data depending on your industry. You should ask your information officer or computer technician which statutes and regulations govern your industry and if you are compliant. If they do not know, find someone who does.

Be mindful of the many ways that personal information can be illegally acquired and take reasonable steps to avoid the problem. At a minimum, all business computers (desktops and laptops) should have sophisticated passwords to prevent outsiders from easily accessing customers' information. After all, you might eventually be a customer at one of those businesses.

This story was featured in the November 2008 newsletter

- Rebecca Evans, business specialist, Northwest Missouri State University SBTDC, 11/12/08