Most small businesses handle a fair amount of personally identifiable information – files or documents with client and employee Social Security numbers, credit card information, names, addresses, and email addresses. These files are a goldmine for hackers, and if you don't want to dangle extra data breach bait, you should create a system for carefully storing them.
To reduce your cyber liability exposure (a good plan even if you have Cyber Liability Insurance to address the financial fallout after a data breach), consider tossing these three types of files and documents. Bonus: doing so may also reduce some physical and digital clutter around the office.
1. Get Rid of Old Tax Records to Reduce Data Breach Exposures
Tax returns are obvious targets for hackers and identify thieves, but if you're like many small-business owners, you may be tempted to hold on to every return since the dawn of time.
The exception: You may need to hold on to some of the information that accompanies your tax return. Beran notes, "Tax records that support cost of assets owned should be retained three years after the asset is disposed."
2. Toss Old Employment Records to Safeguard Employee Data
Be careful when sorting through employment records. You can dispose of some of these records after several years, as Beran notes. Others need to be kept permanently.
For example, Beran states a business owner must retain IRS records for employee payments, employer tax deposits, and reports for at least four years. (That includes W-9s for contractors.) On the other hand, the Department of Labor allows for the disposal of employee pay rate, hours worked, and time cards after two years.
The exception: Because a number of agencies govern employment records, retention requirements vary. To reduce your liability, Beran recommends small-business owners "consult their tax advisor, accountant, and attorney to develop policies and procedures for proper records management."
3. Delete or Toss Old Correspondences to Reduce Cyber Liability Exposures
Your inbox is probably full of important data. For example, if clients have ever sent their credit card numbers along with their signed contracts or you've had a W-9 form emailed to you, you're sitting on valuable data. What's worse, you can be liable if that data is stolen.
The exception: You may need to transfer sensitive information from your inbox to a more secure location. This is especially true if your email contains business records such as insurance policies, leases, or contracts.
Though you may be tempted to delete everything, hang on to client correspondences about the status of a project. You might need these messages to support your defense if a client is unhappy with the project's outcome and files a professional liability lawsuit later.
3 Tips for Safely Disposing of Sensitive Documents
- Brush up on the policies and procedures for disposing sensitive information. Beran says every data and information protection law and regulation (e.g., the Privacy Act, FACTA, HIPAA Security Rule, and Payment Card Industry Data Security Standard) has specific requirements for how businesses should dispose of data and documents with personal or identifiable information. Follow those procedures to stay compliant.
- Check out best practices for paper shredding. Kevin Barnicle, CEO of full-service information governance company Controle (@TakeControle), notes you can find best practices for safely disposing of information around the web, and we suggest you start with this guide from the Privacy Technical Assistance Center [PDF].
- Outsource the shredding. "As a past president of the National Association of Information Destruction, I support working with a NAID-certified data and information destruction (“shredding”) company that carries the proper professional liability and indemnification data insurance," Beran says. That way you know your information is destroyed in a way that complies with all relevant regulations.
2 Tips for Safely Storing Sensitive Documents
- Store your sensitive info in the cloud or with a reputable records management facility. For business records you should permanently keep (partnership agreements, business licenses, or patents), Beran recommends storing the information in the cloud. He suggests Backblaze, Carbonite, and NovaStor, which offer secure storage options. For physical documents, look into a records management facility with solid references, licensing, insurance, and security.
- Put your files under lock and key. "Some of the oldest tricks are the best: a simple key on a filing cabinet is a great way to store paper files," Barnicle says. It also lets you decide who gets access to those files.