Privacy Rights Clearinghouse
A Business Issue
Using This Checklist
Section I. Developing Privacy Policies to Guide Customer/Client Relations
A. Organizational Policies
B. Privacy Principles
C. Data and Network Security
D. Some Additional "Common Sense" Security Practices
E. Records Retention and Disposal
F. Facsimile Transmission
G. Copiers, Printers and Fax/Multifunction Machines
H. Answering Machines and Voice Mail Systems
I. Wireless Communications
J. Social Security Numbers (SSNs) and the Use of Personal Identifiers
K. Guidelines for Security of Lists
Case: A credit bureau mailed a credit report to a man who had requested it, and mistakenly included the credit report of a woman who had no connection to him. To make matters worse, the woman's credit report had been "flagged" by the credit bureau for security purposes.*
* All case studies reported in this Fact Sheet are true stories taken from consumer compliants Privacy Rights Clearinghouse (PRC).
When we think about data breaches, we often worry about malicious-minded computer hackers exploiting software flaws or perhaps Internet criminals seeking to enrich themselves at our expense. But the truth is more complicated than that.
Hardly a day goes by without a news story about some company or government agency losing control over vast quantities of customer or client information. In fact, PRC reports almost a billion personal records have been improperly exposed since 2005. www.privacyrights.org/ar/ChronDataBreaches.htm 
Thus, a critical starting point for preventing future data breaches (and the identity theft that can follow) is developing ironclad policies and practices for handling personal information from within the workplace. In the past, security often was dealt with by trying to protect sensitive data from outside intrusion. However, that leaves far too much room for internal errors, carelessness, and wrongdoing by those who handle personal information. Responsible data-handling practices begin with the development of workplace privacy policies and the implementation of regular training programs for employees.
The Federal Trade Commission (FTC) offers practical tips and an interactive tutorial called "Protecting Personal Information: A Guide for Business" at http://www.business.ftc.gov/documents/bus69-protecting-personal-information-guide-business . The tutorial explains why safeguarding sensitive data is good business and how to
implement steps to protect personal information. The FTC's Start with Security: A Guide for Business  describes 10 practical lessons businesses can learn from data security settlements.
The Internal Revenue Service has a "Facility Security Survey Checklist" in Section 10.2.3.8 of the Internal Revenue Manual. The checklist is available at http://www.irs.gov/irm/part10/irm_10-002-003.html#d0e248 .
The proliferation of office printers, copiers, fax machines, email, laptop computers, personal digital assistants (PDAs), smartphones, and portable storage devices has allowed for dissemination — accidental or intentional — of information in quantities never before imagined. Thus, the challenge for organizations is not just in keeping track of the ever-growing mountain of new information being produced each year, but also monitoring and managing the archives. Putting clear policies in place and effectively enforcing them are essential.
Privacy is increasingly becoming an important business issue. Nearly every state in the U.S. has enacted a data breach notification law. These laws require businesses to notify consumers of breaches of security. Many of these laws may impose additional obligations upon businesses. Data breaches can cost companies millions of dollars per incident in direct costs, such as notifying victims. In addition, the public relations fallout from a data breach can be significant. Corporate reputations can suffer tremendously.
Furthermore, lawsuits against firms for negligent handling of personal information are becoming more common. Some states have passed laws allowing individuals to sue organizations that fail to safeguard their private data. Federal statutes and regulations also permit government agencies to sue organizations over data breaches and other failures. Even if your organization prevails, litigation costs can be substantial.
Many employers are imposing new restrictions on who can take confidential records out of the office and are providing special training on how to keep data secure. Workers found violating security policies are being disciplined, or even dismissed. So whether or not a company is cracking down on computer security, employees should consider protecting themselves. Experts say it’s wise to check your company’s policy or urge such policies be adopted or clarified.
Companies using outside vendors to collect, store, process, transmit, or destroy their data should investigate their vendor's privacy and security policies and practices, delineate the vendor's specific obligations (rather than simply stating that the vendor will comply with all applicable laws), and perform privacy audits on vendors.
Additional concerns exist when employees are allowed to use their own mobile electronic devices (laptops, tablets and smartphones) for both personal and work purposes. PRC's Fact Sheet 40: "Bring Your Own Device . . . at Your Own Risk"  addresses some of these concerns.
This checklist provides an overview of key points to consider when preparing information-handling policies and conducting privacy audits within your organization. The checklist can be used by private, public and not-for-profit organizations alike. Not all points will be relevant to your organization.
Some situations may require you to take more stringent steps than those listed here. For example, medical records may necessitate extraordinary steps.
The checklist is divided into two sections. Section I suggests issues to consider when drafting privacy principles to safeguard the personal information of your clients and customers. Section II concerns privacy policies affecting your employees, such as personnel records, electronic monitoring, and email.
Understand that this is not an issue you can address once and have solved forever. Threats will change, technology will change, and employees will change. So your plans and processes should change along with them. Updates are crucial.
No one is immune. While some companies have data collection as their core business, all firms collect information on their clients, customers, and employees. Don’t wait until a computer goes missing to think about what actions to take. Develop a complete checklist now.
Are all employees who handle personal information included in the training programs, including temporary employees, back-up personnel, and contract staff?
The major components of effective privacy policies are listed below, adapted from the fair information practices developed by the Organisation for Economic Cooperation and Development (OECD) (http://www.oecd.org/sti/ieconomy/informationsecurityandprivacy.htm) . Another useful compendium is the Canadian Privacy Code under the federal law, Personal Information Protection and Electronic Documents Act (PIPEDA) (http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html ). Although designed to guide the development of national privacy legislation, these principles are also appropriate for organizations.
Security of personally identifiable information—whether stored in electronic, paper or micro-graphic form—is covered in many websites, books, journals, trade magazines, and conferences. Only the major points are listed here. Several professional associations are listed in the Resources section at the end of this guide.
Do staff members participate in regular training programs to keep abreast of technical and legal issues?
Do you have procedures to prevent former employees from gaining access to computers and paper files?
Are filing cabinets containing sensitive information locked? Are computers, laptops, and networks password protected?
Are employees required to change passwords often, using "foolproof" methods?
Case: A medical office photocopied more of a car accident victim's record than necessary and released extremely sensitive but irrelevant information to the insurance company. Information about the woman's child, given up for adoption 30 years ago, eventually became part of the court record, a public document.
Have employees been instructed on what might constitute inappropriate use of social networking sites? Employees must be made aware of the privacy pitfalls inherent in social media. "Twittering" or "Facebooking" about sensitive work issues can have adverse consequences far beyond a simple conversation.
Case: An automobile dealer did not shred loan applications before tossing them into the garbage. A "dumpster diver" retrieved one and used the financial information to commit thousands of dollars of fraud against someone who had applied for a car loan.
When disposing of computers, diskettes, magnetic tapes, CD-ROMs, hard drives, memory sticks, mother boards, and any other electronic media which contain personally identifiable information, are all data rendered unrecoverable by either physically destroying the device or by over-writing the data sufficiently to ensure destruction?
If you use third-party services for computer recycling or destruction, have you selected a service that provides a certificate of destruction? Does it dispose of toxic materials properly?
Case: A medical doctor, who was filing for bankruptcy, faxed a financial document to his attorney. He entered the wrong telephone number, and the document was instead transmitted to the local newspaper.
For additional tips, read Guidelines for Facsimile Transmission Security, by the Information and Privacy Commissioner of Ontario. Web: www.ipc.on.ca/images/Resources/fax-gd-e.pdf 
Case: Four used copiers purchased from an office supply warehouse for about $300 each contained a gold mine of personal data. Using a forensic software program available free on the Internet, tens of thousands of documents were downloaded. Some of the data available included 95 pages of pay stubs with names, addresses and Social Security numbers; 300 pages of individual medical records; detailed domestic violence complaints and a list of wanted sex offenders; and a list of targets in a major drug raid.
When copiers, printers, or fax/multifunction machines are repaired or disposed of, do you consider the digital data that is likely to be present in the equipment’s hard drive? Digital copiers, printers, and fax/multifunction machines represent one of the most important and least understood opportunities for data leaks. They are a virtual digital time bomb containing a wide variety of sensitive information.
Most of these types of equipment manufactured since 2002 contain hard drives that store digital images. These machines are capable of storing an image of every document that has been copied, scanned, printed, emailed, or faxed. Although it may be stored in a proprietary language or encrypted, a hacker can easily gain access to years of sensitive data. Some machines don’t even require hacking because they may allow jobs to be reprinted from a printed job list. Sophisticated copiers may contain a list of user's email addresses, outgoing fax numbers, and contact names. All of this information can easily be transferred from the copier to a hacker's laptop. Accordingly, simply disposing of this equipment presents a significant opportunity for a security breach.
While much of the hard drive space in many machines is used for processing, the drive may also store thousands of pages of information. Once the hard drive memory has been exceeded, files are automatically overwritten. “Cap points” limit the number of pages stored to hard drives, and the cap limitation will vary in each make and model. Depending on the type of machine, information from small print jobs may be stored in random access memory (RAM) only, and the files may be overwritten with each new print request, or lost when the machine is powered off.
Most major manufacturers now offer security or encryption packages to help protect against this problem. However, many businesses fail to pay for this protection. If your equipment does not have this protection, you should erase or remove the copier’s hard drive, clear its memory, and change the copier’s passcodes.
Does your organization have security procedures in place for deleting digital data from copiers, printers and fax/multifunction machines?
Does your organization recycle or resell copiers, printers or fax/multifunction machines to wholesalers or refurbishers? If so, does your organization take steps been taken to remove any data history?
The Federal Trade Commission’s Copier Data Security: A Guide for Businesses provides a information about digital copier operation, lifecycles, encryption, overwriting, and security measures. The guide is available at http://business.ftc.gov/documents/bus43-copier-data-security 
The Federal Deposit Insurance Corporation (FDIC) has issued guidance describing the risk posed by sensitive information stored on these types of devices and how financial institutions can mitigate that risk. The FDIC requires financial institutions to implement written policies and procedures to ensure that a hard drive or flash memory containing sensitive information is erased, encrypted or destroyed prior to the device being returned to the leasing company, sold or otherwise disposed of. http://www.fdic.gov/news/news/financial/2010/fil10056.html  .
Case: Message left on the wrong answering machine when the phone number was misdialed: "Hello, Mrs. Weaver. This is Judy from the County Parole Office. You called earlier about your daughter Crystal? She has already been taken to the California Youth Authority [juvenile detention center]."
Case: As people stood in line to enter the theater, the cellular phone conversation of one theatergoer was overheard by those nearest her. It soon became obvious that the woman was a medical doctor talking about the care of a patient.
Are employees properly trained to make sure that all data is properly encrypted and that encryption is not either accidentally or intentionally disabled?
While organization policies should emphasize the importance of encryption, these policies may be ignored by careless users, particularly if non-compliance does not result in adverse consequences.
Many organizations remain overly dependent upon encryption solutions to protect sensitive data on their laptops. Companies relying solely on encryption cannot be sure whether stored data has actually been encrypted, if it has been compromised, or even which files have been accessed. Corporations should take a layered approach to security, making encryption but one layer of their approach to data security.
Are employees trained in techniques to spot
suspicious activity, including signs that a computer has been infected with malware?
Does the organization have policies, procedures and training programs that emphasize responsible information-handling practices?
Is the network connection between home and work secure?
Do laptops containing sensitive information have a "kill-switch," that is, remotely-enabled software that can disable lost or stolen laptops? The loss or theft of laptops is one of the most common ways that the security of corporate data is compromised.
Case: The supervisor of a unit within a large state government agency sent an electronic mail message to every employee that listed all their names and Social Security numbers, disregarding the privacy and fraud implications of releasing that information.
The use of SSNs for record-keeping purposes and personal identifiers should be strongly discouraged, and, preferably, prohibited. Proliferation of SSNs puts customers and employees at risk of allowing unscrupulous persons to obtain the number for fraudulent purposes, for example, obtaining credit card accounts in another person’s name. (See the Privacy Rights Clearinghouse identity theft publications. Web: www.privacyrights.org/identity-theft-data-breaches . See also Recommended Practices for Protecting the Confidentiality of Social Security Numbers. Web: http://www.oag.ca.gov/sites/all/files/pdfs/privacy/protecting_ssns.pdf? .
Case: Before departing the singles dating-service office, a fired employee stole a computer disk containing the supposedly confidential mailing list of all its clients. He sold the list to other dating services in the area.
Does your organization maintain information on clients, customers, potential customers, users, and/or members? Does it make those lists available to other entities by selling, renting, or exchanging them? If so, the Direct Marketing Association (DMA) recommends that the following guidelines be practiced. These are adapted from DMA's "Guidelines for Ethical Business Practice"  and a previous publication, "Fair Information Practices Checklist." The use of the word "customer" below can be altered to fit your specific situation, such as "client," "member" or "user."
a. Does your organization offer its customers name-removal options? Are those options effectively communicated?
b. Do you subscribe to the DMA's name-removal services, the Mail Preference Service (MPS), and/or its E-mail Preference Service (EMPS)? Web: www.the-dma.org . Are MPS and EMPS names removed prior to renting or exchanging lists?
c. If you are a telemarketer, do you subscribe to the Federal Trade Commission’s Do Not Call (DNC) Registry? Are DNC numbers removed prior to renting or exchanging lists? Web: https://telemarketing.donotcall.gov  .
a. Is someone in your organization responsible for list security? Is someone responsible for keeping up to date on current laws and regulations regarding fair information practices?
b. Are your lists physically secure?
c. Are there sufficient restrictions—such as audit trails and strict penalties for violation—on your employees to protect against unauthorized access?
d. Does your organization instruct its employees in initial employee orientations and ongoing training programs that customer data are confidential?
e. Does the organization have adequate security to prevent remote computer access to your lists?
f. Does your organization ensure that list recipients employ sufficient safeguards? Does it make sure security measures are in place during the transfer of lists? Do you ensure the secure and timely return or destruction of lists used by other entities? Do you use a monitoring system to track list usage, such as the use of decoy names, called “seeding”?
a. Is your organization collecting only those consumer data that are pertinent and necessary for the purpose at hand?
b. Are you sensitive to a consumer's expectation that some personal information may be considered confidential and should not be used for marketing?
c. If your organization contributes customer data to a cooperative database, are you satisfied about the database's security?
a. Does your organization have the means to update its customer data?
b. Are customer data reviewed/revised by your organization on a regular basis?
c. Are customer inquiries regarding data accuracy answered promptly and to the customer's satisfaction?
The Privacy Rights Clearinghouse suggests these additional security guidelines:
a. Do you disclose up-front the intended uses of the data that are collected?
b. Do you allow the data subjects to inspect and correct data held about them?
Case: Charles was absent from work for a month on disability leave. Upon his return, he was shocked to discover that his supervisor had changed his password and listened to his voice mail messages.
a. the purpose for which the system is to be used (business only? personal matters allowed? no trade secrets discussed?)
b. penalties for misuse
c. who is authorized to access e-mail/voice mail messages; the disposition of email/voice messages when the employee is on temporary but extended leave;
d. the retention/purge schedule for files, including retention procedures for possible use as legal evidence
e. expectations for privacy (none? only in files marked "private"?)
f. password creation/change procedures
g. the use of encryption (prohibited? allowed? required for sensitive communications?)
h. safeguards concerning copying and forwarding messages, especially messages containing personally identifiable data
i. how the policy is communicated, such as employee notice and training programs.
In addition to email monitoring, an increasing number of employers use a variety of employee-monitoring practices, such as telephone systems that allow supervisors to listen to telephone calls, computer keystroke monitoring systems that can determine work productivity, web-surfing monitoring, video monitoring systems, and locational detectors.
Does your organization have a communications policy governing the use of employer-provided equipment? A written policy can help protect employers and minimize the possibilities that employees will misuse company technology.