Data Information Security Rule # 1: Never Collect and Store Private Information you do not need.
A Business/Organization/Institution is responsible for the Private Information they collect. Only collect sensitive personal identifying information that has a legitimate business need. Then only keep it for as long as you need it.
Social Security Numbers should only be used for required and lawful purposes – like taxes. Never use all or part of a SSN as an employee or customer ID number. Losing your employees’ SSN to identity thieves will destroy morale and productivity.
Data Information Security Rule # 2: If You Collect and Store Private Information you need to Protect it.
A written policy needs to be created identifying what information is kept, how it is secured, how long it is kept and the method of disposal.
Data Information Security Rule # 3: If You lose Private Information you are liable for its loss.
A rule of thumb: Each item of Private Information lost will cost a company $200. Lose 1,000 credit card numbers and will cost you $200,000. Not all Private Identifying Information is created equal. Lose a Social Security number and the liability grows with how the thief uses it. Each lost SSN could cost thousands. How much could it cost if a stored Facebook password is used to trash someone’s reputation? The law suit could be in the tens of thousands.
Are you willing to risk the liability resulting from asking for an employee’s Facebook password?