In returning to our cybersecurity series, the second of five keys to a sound cybersecurity plan considers collecting only the personal data that is necessary to your business’s needs. Recall that personal data generally includes a person’s name in combination with other identifying information.
 
The rule of thumb is that if you do not have a legitimate business need for certain personal data, you should not keep it or even collect it. If your business has a legitimate need for collecting certain personal data, the best approach is to keep that data only as long as it is necessary to conduct your business transactions and as long as the law requires.
 
A few examples for following this second step include the following:

• Check the default settings on your software that processes transactions and credit card numbers because sometimes software is preset to permanently store information.
• Ensure that electronically printed credit and debit card receipts contain no more than a few digits of a card number and that the expiration date is not printed.
• Do not retain customer credit card numbers, expiration dates or other personal information gathered from the magnetic strips on credit cards without an essential business need for it. Retaining this information, or keeping it longer than necessary, increases your risk for the information to be used to commit fraud or identity theft. Once your business need is over, properly dispose of it.
• Use Social Security numbers sparingly and only for lawful purposes like reporting employee taxes. While this advice may seem obvious, you may remember a time when your Social Security number was also your driver’s license number.
• If your business needs or the law requires that you keep personal data, develop a written records retention policy to identify what information to keep, how to secure it, how long to keep it, and how to securely dispose of it.