Protecting your sensitive data—we can help
A crucial part of your business is dealing with customers and their sensitive financial information. With that comes a crucial responsibility—safeguarding what they provide you. We can help you understand the legal requirements and show you how to help protect your customers and your business.
The Financial Services Modernization Act
Protecting sensitive customer information is required by law for some businesses. The Financial Services Modernization Act (FSMA) is enforced by the Federal Trade Commission and requires anyone providing financial products or services to ensure the security and confidentiality of consumers’ personal financial information. That includes companies that handle lending, brokering or servicing a consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, or collecting consumer debts.
How to comply
In order to meet FSMA requirements, you must have a written information security plan describing how you protect customer information. The plan must:
- Designate one or more employees to coordinate the safeguards.
- Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling the risks.
- Design and implement a safeguards program, and regularly monitor and test it.
- Select appropriate service providers and contract with them to implement the safeguards.
- Evaluate and adjust your program to keep it up-to-date—including changes in your business arrangements or operation, or the results of testing and monitoring of safeguards.
These requirements are designed to be flexible. That allows you to implement safeguards appropriate to your company’s unique circumstances and operations.
When implementing your safeguards, consider all areas of operation—including the three areas that are important to information security: employee management and training, information systems, and managing system failures.
Employee management and training
The success of your information security plan depends largely on your employees who’ll implement it. To make sure you have workers who can handle the duties:
- Check references of job candidates who’ll have access to customer information.
- Have every new employee sign an agreement to follow your organization’s confidentiality and security standards.
- Train employees to take basic steps to maintain the security, confidentiality, and integrity of customer information, including:
- Locking rooms and file cabinets
- Using password-activated screensavers
- Establishing strong passwords that are at least eight characters long
- Changing passwords periodically
- Referring calls or other requests for customer information to designated individuals who have safeguards training
- Recognizing any fraudulent attempt to obtain customer information and reporting it to authorities
- Instructing and reminding all employees about your policy and the legal requirement to keep customer information secure and confidential
- Limiting access to customer information to employees who have a business reason for seeing it
- Imposing disciplinary measures for any breaches
Your security plans need to take into account what information systems you use—including network and software design, as well as information processing, storage, transmission, retrieval, and disposal. Follow these steps to maintain security of customer information:
- Store records in a secure area. Make sure only authorized employees have access.
- Provide for secure data transmission when you collect or transmit customer information.
- Dispose of customer information in a timely, secure manner.
- Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information.
- Maintain an inventory of your computers.
Managing system failures
While you’re taking precautions to protect your customer’s information, it’s important to have effective security management. That includes the prevention, detection, and response to any attacks, intrusions, or other system failures. Consider these protections:
- Maintain up-to-date and appropriate programs and controls.
- Back-up all customer data regularly to preserve the security, confidentiality, and integrity of customer information in the event of a computer or other failure.
- Ensure systems and procedures allow access to private consumer information to only legitimate and valid users.
- Notify customers promptly if their personal information is lost, damaged, or otherwise compromised.
Securing your customers’ information is not only the law, it makes good business sense. When you show customers that you care about the security of their personal information, you increase their confidence in your business.
You can find additional information and guidance for complying with the Financial Services Modernization Act at the Federal Trade Commission website or talk with your Sentry Safety consultant.