Oct. 9, 2020—Your shop likely has a lot of customer and employee information digitally stored. Those files can be helpful for essential things like bookkeeping and keeping track of return customers. They can also help shops pinpoint marketing campaigns.
To stay within the law and retain customer trust, you want to make sure that you’re the only entity accessing and using that data. Follow this guide to make sure you’re handling sensitive information with care
The Federal Trade Commission has a five-point plan for business owners to assess their data security.
Inventory
The first step is to take stock in all the devices and people who have access to sensitive information. Make sure to be thorough—if a service writer at an auto shop links his or her phone to information on a work computer, that’s worth taking note.
Run Lean
The second step is to keep a lid on how much information you collect and retain. Keep a lean data operation.
“If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. In fact, don’t even collect it. If you have a legitimate business need for the information, keep it only as long as it’s necessary,” the FTC says.
Additionally, only give employees access to the information that they need to do the job. Nothing more.
Lock it Down
Third is the security step. This applies to physical files as well, but the electronic security is where many owners might have blind spots. The FTC says that owners need to be fully aware of how employees use computers. Certain websites, email attachments or downloaded programs can all be potential points of vulnerability. Train employees on best practices for web and email use.
Shops should also be aware of how guests connect to a wifi network and whether or not this provides a potential pathway to sensitive data. The same goes for contractors who might temporarily have access to a computer or network.
Proper Disposal
Much of the disposal rules cover the proper destruction of physical files. But shops also have to make sure that their hardware doesn’t contain any personal information upon disposal. If your shop is getting new computers, make sure the old units have been properly wiped of data. This requires more than just the desktop recycle bin.
“Deleting files using the keyboard or mouse commands usually isn’t sufficient because the files may continue to exist on the computer’s hard drive and could be retrieved easily,” according to the FTC.
Incident Plan
If a breach does happen, you’ll be in a better position to remedy the situation if there’s a plan in place. Designate a senior staff member to coordinate the response plan on the ground, and be prepared to call the proper authorities if necessary.
