Over the last few months we have examined what your business needs to do:
- Know what Private Personal Information you have in your files and on your computers.
- Keep only what Private Personal Information your business needs to conduct business.
- Physically secure paper documents in locked filing cabinets and rooms.
The next topics to be covered:
- Audit the security practices of contractors and service providers.
- Implement information disposal practices to prevent unauthorized access to Private Personal Information.
- Create a plan for responding to security incidents.
- Identity Monitoring
Auditing the security practices of contractors and service providers
You need to look at the companies who provide your cleaning services, payroll, web hosting, Cloud services, customer call center operations, data processing and backup, network administration, Human Relations, employee recruiting, Insurance and retirement plans. Any contractor or service provider who has or could have access to the Private Personal Information you collect and store.
Before you outsource any of information sensitive business functions investigate the company’s data security practices and compare their standards to yours. If possible, visit their facilities, web-site, Yelp and LinkedIn company profile. Do you know what their employees are saying about their customers in Facebook?
Address security issues for the type of data your service providers handle in your contract with them. It would be a good idea to have the contract reviewed by your attorney.
Do they run background checks on the employees who could have access to your information? Often the only people in your business at night are from the cleaning service. It may be months before your employees know their Social Security number is being used by someone to get employment in a different city.
Insist that your service providers notify you of any security incidents they experience, even if the incidents may not have led to an actual compromise of your data. A breach of the vendor’s database may mean you need to notify your customers that their information has been exposed.
Know your vendors. When you hire them their actions (or lack of actions) could become your problem.