2020Directory_FNL_FlippingBook

Record Retention and Disposal An Information Security Program should also include a written document retention and disposal policy. See Topic 11: Recordkeeping and Destruction of Records for more information on these policies. State Data Security Laws States are also enacting strict data security laws that apply to all organizations that maintain information about their residents. For example, some states: • Require the development of a comprehensive written information security program, and the encryption of all personal information stored on laptops and portable devices or transmitted wirelessly or across public networks. Employee access must be limited, and paper records must be locked up. • Require compliance with the Payment Card Institute Data Security Standard (“PCI-DSS”) for credit and debit card information and transactions. Consult your own attorney to determine what specific state laws may apply to you. Social Security Number Protection Laws Many states have passed laws restricting the use, communication, posting, emailing, or mailing of Social Security numbers (SSNs) and other nonpublic personal information (“NPI”). Many of these state laws prohibit (i) denying goods or services to a person who declines to give their SSN, (ii) printing of SSNs on ID cards, (iii) communicating SSNs to the public or posting or displaying them, (iv) mailing SSNs within an envelope; and/or (v) emailing SSN or other consumer NPI in an unencrypted email. A few states require companies that collect SSNs to have policies in place to protect the SSNs. California’s law provides a good example of prohibited activity and applies to businesses, government, and other entities. The law prohibits: • Printing SSNs on ID cards or badges; • Printing SSNs on documents mailed to customers, unless the law requires it or the document is a form or application; • Printing SSNs on postcards or any other mailer where it is visible without opening an envelope; • Avoiding legal requirements by encoding or embedding SSNs in cards or documents, such as using a bar code, chip, or magnetic stripe; • Requiring people to send SSNs over the Internet, unless the connection is secure, or the number is encrypted; and • Requiring people to use an SSN to log onto a website, unless a password is also used. SSNs should be truncated in any visual or printed form and be safeguarded in electronic and paper files. Encryption of Social Security numbers and other NPI is a best practice for electronic records and mandatory in transmitting SSNs over electronic networks such as the Internet. IDENTITY THEFT AND FRAUD PREVENTION

2020 MEMBERSHIP DIRECTORY & SERVICES GUIDE HOT TOPICS

148