For beauty business news, beauty store owners turn to Beauty Store Business. Beauty business trends, beauty business profiles and more!
Issue link: http://beautystorebusiness.epubxp.com/i/103399
Beauty & The Law If you store Massachusetts residents' personal information on a computer or electronically, then the law requires you to have even more written procedures in place. You will need to control user IDs, have a secure system of assigning passwords, control passwords so they are secure, limit access so only users who need personal information to perform their jobs can see it, block access after they enter the wrong password several times, assign a unique password to each user, encrypt all data that will be transmitted over the Internet or over wireless connections or kept on laptops or other mobile storage devices, detect unauthorized access, use Internet firewalls, use anti-virus and security software that updates regularly, and train employees on your procedures and why they are important. California has a less strict law that requires that retailers have security procedures to protect California residents' personal information if it is not encrypted. Connecticut's law requires businesses that have personal information to destroy the information and make it unreadable before it's thrown away. Throughout the country, new bills are being introduced all the time so it's important to check the laws in the states where you do business on a regular basis. KNOW WHAT TO DO IF YOU HAVE A SECURITY BREACH If you have a security breach, you will need to comply with numerous state laws that require you to notify customers about the risk to their personal information. A Model Data-Security Policy & Procedure Our policy is to respect the personal information of all our customers and employees. We will take all reasonable steps to protect that information from falling into the wrong hands. If our customers' and employees' personal information is lost or stolen, we will make notifications as required by law. The president (or you could name another employee, such as the security officer or office manager) is in charge of security and shall maintain this procedure and update it as needed. How we protect personal information When we have employees' Social Security numbers or customers' debit- or credit-card numbers, we will keep them in a secure place. • Paper records will be kept in locked filing cabinets. • Electronic records will be kept in files that are protected by passwords with at least seven characters, including both numbers and letters. A user will be locked out after six attempts with incorrect passwords. • We won't store personal information in the cloud or on servers that are not ours unless the company that we deal with is certified by a nationally-recognized organization as following the recommended industry standards for data security. • No records may be copied onto portable media such as laptops, CDs or DVDs. The only exception is backup copies of company records, which must be password protected and stored in locked file cabinets. • The office manager will have the only key to the file cabinet where personal information is stored, and is the only person who can open the file cabinet. • Any company that provides services to our business and that will need to access personal information must agree in writing to have security measures that comply with the laws of all states. Employee access to personal information will be limited • Only authorized employees may have access to passwords. At least every two months, and every time an employee who has the password leaves 60 February 2013 | beautystorebusiness.com the company, the passwords will be changed. • Each authorized employee will have his or her own unique password to the computers where personal information is stored. Additional protections for credit-card and debit-card numbers Credit-card and debit-card numbers and security codes will be managed using the procedures above plus the procedures in the Payment Card Industry Data Security Standard. These include: • Only keep data so long as we are still using it. • Use a firewall on all computers. • Set our own passwords whenever we buy a new software program. • Encrypt data whenever credit- or debit-card numbers are submitted to processing centers over the Internet. • Keep our anti-virus software up-to-date and set it to check for updates every day. • Any software we purchase or have developed must have security features consistent with this policy. It must log each time an employee accesses personal information. • Only employees who need access to credit- or debit-card data to perform their jobs may have access or passwords. • The office manager will test the security system at least every three months. • Each employee must be trained and sign a statement showing that he or she has read this procedure. Throwing out paper and electronic records • When we throw out paper records, we will shred any records that have credit- or debit-card numbers, pins and passwords, Social Security numbers, drivers' license numbers, state ID numbers and any other personal information. • Whenever we dispose of CDs, DVDs, thumb drives, computer hard drives or other electronic media that has our customer or employee records, we will dispose of them by physically destroying them so they cannot be read, or send them to a reliable data-destruction company that will erase all of the information on them in a way that they cannot be restored, before recycling them or throwing them out. Make sure the data-destruction company has a good reputation and preferably use one that is certified by a trade association. Procedure after a security breach • If a laptop is stolen or our offices are broken into, we will report the theft or break-in to the police and the business' insurance company. • Check the National Conference of State Legislatures' website for an updated list of jurisdictions that have notification requirements we will have to comply with. • As required by law, if there is any loss of personal information, we will notify all the people whose personal information is lost or likely obtained by an unauthorized person. • Individuals will be notified by mail or email as soon as possible. If we do not have addresses, we will put a notification on our website homepage and notify state news organizations. • If more than 1,000 individuals' data is lost or breached, we will also notify Experian (experian.com), Equifax (equifax.com) and TransUnion (transunion.com). • We will provide for credit monitoring for affected consumers for one year. Decide if you want this in your procedure because consumers have come to expect this after a company compromises their information; delete if you don't want to do this. Ongoing improvements • We will investigate the root causes of any security breach and revise these procedures to prevent the problem from happening again. • We will review these procedures at least annually and every time we make a change in our business that could affect security. • Any time an employee notices a security risk or a situation that could lead to a security breach, he or she will tell the president, who will implement any changes to this procedure that are reasonable and are likely to address the risk. Discipline Any employee who violates these procedures may be subject to disciplinary action, including termination.