The importance of restricting internal access to personal information was the subject of a recent blog post by the Federal Trade Commission (FTC). The FTC, which exercises data privacy and security enforcement authority over all for-profit companies, identified specific organizational do’s and don’ts for preventing the compromise of employee or consumer data.
“Not everyone on your staff needs unrestricted access to all confidential information you keep,” observed Thomas Pahl, acting director of the FTC’s Bureau of Consumer Protection, in the August 4 posting. “The better practice is to put sensible controls in place to allow access to employees who need it to do their jobs, while keeping others out.” This can be as simple as a locked cabinet for paper files, or separate user accounts that limit who can view sensitive files on the network, he said.
The FTC laid out some examples based on its investigations, settlements, and questions from businesses.
Example 1: Staff members at an employment agency review personnel files that sometimes include Social Security numbers. The employment agency makes sure that all employees have a locking desk drawer. In addition, the agency has a “clean desk” policy that requires workers to secure all sensitive paperwork when they leave at the end of the day—a policy the company monitors with periodic walk-throughs.
Because this employment agency takes steps to see that employees keep documents that contain personal information under lock and key, it’s less likely that an unauthorized person could access the data, the FTC stated.
Example 2: Employees of a small company share one workstation. The staff member in charge of payroll has password-protected access to a database of employee information. The staff member in charge of shipping has password-protected access to a database of customer accounts.
By limiting access based on a business need, this company has reduced the risk of unauthorized use.
Example 3: A company offers an app that allows users to create profiles that include personal medical information. The system gives all employees—IT staff, sales representatives, HR personnel, and support staff—access to customer profiles.
By giving access to sensitive data to staff members who don’t need it for the performance of their duties, this company has created a situation that could put highly confidential information at risk.
Limiting Administrative Access
The FTC also discussed the need to limit administrative access—that is, the technical ability to make systemwide changes to a network or make changes such as software installation to desktop computers.
“Just as a bank gives the combination to the central vault only to a few people, companies should limit admin rights accordingly,” Pahl wrote. “The risk is apparent: An untrustworthy administrator—or too many employees with admin rights—can undo the steps you’ve implemented to keep your system secure.”
Example 4: A tech company uses the same login for all employees. The login has administrative rights that enable designated IT staffers to make systemwide changes. But that same login is used by the company’s receptionist, a sales assistant, and a summer intern.
The wiser approach would be for the company to require different logins with only those privileges necessary for that employee to do his or her job, the FTC noted.
Stick with security: Control access to data sensibly is the latest in a series of FTC blog posts elaborating on the security best practices that the FTC set forth in Start with Security: A Guide for Business.
|Learn more about protecting your company data when you join Usama Kahf of Fisher Phillips, LLP and Lucas Amodio of Armstrong Teasdale LLP as they copresents the breakout session—“Is Your TV Watching You? Cybersecurity Protection from the Internet of Things”—at the 22nd annual Advanced Employment Issues Symposium (AEIS), being held at the Paris Hotel in Las Vegas, November 15-17. Click here to learn more, or to register today.|