Best Practices for Managing Confidential Client and Customer Information Employee Management and Training. The success of your information security plan depends largely on the employees who implement it:
• Check references and do background checks before hiring employees who will have access to confidential information.
• Ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling customer information.
• Limit access to customer information to employees who have a business reason to see it. For example, give employees who respond to customer inquiries access to confidential files, but only to the extent they need it to do their jobs.
• Control access to sensitive information by requiring employees to use “strong” passwords that must be changed on a regular basis. (Tough-to-crack passwords require the use of at least six characters, upper- and lower-case letters, and a combination of letters, numbers, and symbols.)
• Use password-activated screen savers to lock employee computers after a period of inactivity.
• Develop policies for appropriate use and protection of laptops, PDAs, cell phones, or other mobile devices. For example, make sure employees store these devices in a secure place when not in use. Also, consider that customer information in encrypted files will be better protected in case of theft of such a device. • Train employees to take basic steps to maintain the security, confidentiality, and integrity of customer information, including:
■ Locking rooms and file cabinets where records are kept;
■ Not sharing or openly posting employee passwords in work areas;
■ Encrypting sensitive customer information when it is transmitted electronically via public networks;
■ Referring calls or other requests for customer information to designated individuals who have been trained in how your company safeguards personal data; and
■ Reporting suspicious attempts to obtain customer information to designated personnel.
• Regularly remind all employees of your company’s policy—and the legal requirement—to keep customer information secure and confidential. For example, consider posting reminders about their responsibility for security in areas where customer information is stored, like file rooms.
• Develop policies for employees who telecommute. For example, consider whether or how employees should be allowed to keep or access customer data at home. Also, require employees who use personal computers to store or access customer data to use protections against viruses, spyware, and other unauthorized intrusions.
• Impose disciplinary measures for security policy violations.
• Prevent terminated employees from accessing customer information by immediately deactivating their passwords and user names and taking other appropriate measures.