YOU ARE HERE: LAT HomeCollections


Ways to Guard Against Data Theft

April 05, 2006|Cyndia Zwahlen | Special to The Times

A thief takes a laptop belonging to Fidelity Investments that contains the Social Security numbers and birth dates of nearly 200,000 Hewlett-Packard Co. retirees. An auditor loses a computer disk that holds sensitive information on employees from -- of all places -- security software maker McAfee Inc.

Behind the headlines about these large corporations is a sobering question for smaller businesses: Are you -- and by extension your customers -- protected against similar data losses?

Security experts say small companies are potentially more vulnerable to breaches. Most don't have the luxury of putting an employee in charge of privacy, and they generally have less access to the sophisticated legal advice larger companies can afford.

Moreover, many small-business owners are too busy -- or unaware of the need -- to set up routine security practices. About 60% of small businesses don't encrypt their wireless networks, according to a recent study.

"There is not a business in the U.S. that would leave a box of cash on the counter," said Lydia Parnes, director of the Bureau of Consumer Protection at the Federal Trade Commission in Washington.

"Information is the new currency. So just as a business needs to safeguard their cash, they need to safeguard their customers' information."

That applies, for example, to the self-employed physical therapist who keeps clients' medical records on her home computer, the salesperson on a cellphone discussing an account's billing history, even the company with a jumble of old computers in an unlocked storage closet.

Small-business owners can take steps, online and offline, to protect sensitive personal and financial information. Clear policies, effective employee training and consistent implementation, along with secure computer software and hardware, are the building blocks of data security, experts say.

To assist small businesses, the Council of Better Business Bureaus has issued a guide to protecting customer data, "Security and Privacy -- Made Simpler." The online guide, along with a downloadable Web seminar and continuing updates, is available free at

This fall, the group, which compiled the information with help from Privacy and American Business, a service of nonprofit think tank the Center for Social and Legal Research, will release a guide on how to protect employee data.

It's an important issue for all businesses, which have responsibilities under a growing body of state and federal privacy law. In California alone, 70 privacy and identity theft laws have been passed since 1999, said Joanne McNabb, chief of the California Office of Privacy Protection, a division of the state's Department of Consumer Affairs.

(The department has its own guide to practices for businesses at

"Your customers care about it and your employees care about it, and therefore you will necessarily care about it," said Steve Cole, president and chief executive of the better-business council. "But it's manageable."

Two principles to keep in mind: Don't collect personal information from a customer unless it is absolutely necessary. And don't hold on to such information any longer than it is needed.

To start, security experts say, find the weak spots in data security at your company, listing all the ways you collect customers' personal information, where it is stored and who has access to it. In addition to Social Security numbers, this information can include transaction patterns and account records.

Some companies may decide to bring in an information technology consultant or lawyer to find and address potential data security risks.

With or without outside help, a company needs to create a written security and privacy policy. There are online resources to assist with this step, including BBBOnLine ( and the Direct Marketing Assn.'s site (

Once policies are in place, experts say, companies must train employees regularly to follow the rules and to use computer security tools such as effective passwords, data encryption and security software.

The sensitive data on the stolen Fidelity laptop, for example, was encrypted.

Security software also can help protect against the relatively new phenomenon of key-logging (the use of malicious software that captures computer keystrokes, including passwords), spyware and Trojan-horse viruses, said Peter Schmalzle, owner of SmallSystems Inc.

Schmalzle, whose San Diego information technology firm specializes in small businesses, uses four antivirus and antispyware programs to seek out and destroy malicious software on a company's computers.

"It's a tedious process, but it's worth it because then you know the machine is clean," he said. He recommends that his clients then run a basic security program once a week.

Los Angeles Times Articles