Physical Safeguards to Protect Client Data
Physical safeguards prevent unauthorized persons from physically stealing the data from your facility or wherever you store customer data, be it on paper or electronic media. Physical theft can happen in many situations including:
- if an unauthorized person enters your facility (e.g. office, home, or anywhere else that you work with customer data), especially after hours or when no authorized persons are present
- if a person authorized to enter your facility (e.g. for maintenance, cleaning) but not to access your data obtains access to your data
- when sensitive data arrives at a fax or printer outside of the supervision of an authorized person
- when you travel with sensitive data to a client location, out of town conference, or even on a vacation with your laptop or other device that contains customer data (e.g. a laptop left in your car could be stolen when taking a grocery shopping stop on the way back from work)
- during emergencies or disruptions due to power outage, weather events, facility repairs/remodel, or other situations when normal safeguards are not in effect (e.g. data is removed from secure premises to protect against imminent flooding)
- facility moves, that include moving the data from one secure location to another.
Obviously, we need safeguards that reduce the likelihood of data theft in each of the above situations and other situations where data is physically vulnerable.
The safeguards must be practical, that is, they should be cost effective and should not negatively affect productivity significantly. We cannot operate our business out of a fortress protected by armored tanks if we want to stay competitive.
The following sections provide commonly accepted practical safeguards that help protect against many types of physical data theft.
Facility level access control
Where all do you store information - at your office, home, or both? Does your firms have multiple office facilities? Each such location or facility needs to be assessed separately since they may vary in building characteristics, lease agreement details, and nature of visitors.
Client information can be on paper copies (hardcopy) or in digital format. Physical safeguards are needed to protect both.
The first physical safeguard is access control. Your home or office probably already has a secure lock with a deadbolt, either with a mechanical key, a security code, or an electronic keyfob. So this should already be taken care.
But if the current lock is not a secure one (e.g. a privacy door knob without a deadbolt), change it. If it’s a rented property, you should always get the landlord’s permission and ensure that the landlord has a key to the new lock. Facility level access control reduces the probability of malicious physical access to your computers and paperwork.
You may also consider installing a security alarm system that alerts you about any unauthorized entry. Such systems can be self-monitored (alerts are only sent to you, typically to your mobile device) or centrally monitored (alerts are sent to a central station, and they may call the police if needed).
Second level access control
A second level access control is almost always needed since the facility itself can be accessed by persons who are authorized to access the facility but not authorized to access your data.
The facility may be accessed by visitors and clients during business hours, and maintenance staff, housekeepers, cleaners or others after-hours. If you work, at least some of the time, from home and have customer data at home, family members and their friends or visitors will also have access to the facility, including when you are not present.
You may not always have control over who is authorized to enter the facility. Someone else may decide which vendors are hired for maintenance, you will likely not control who those vendors hire as employees. You may not have the authority or resources to run background checks on all such persons. Even if your office is a single room, with no facility maintenance staff access, and you are always present when clients visit, a second level access control is still handy should you have to step out for a minute to take an urgent phone call or a restroom break while the client waits at the office.
How to implement second level access control?
For hardcopy information: Ensure that all confidential paperwork is stored in locked drawers or cabinets. Keep a lockable drawer free to quickly move all your working papers from your desk to it when you leave for the day or leave your desk for an extended period. This helps implement the so called clean desk policy.
Digital data on computers: Use a cable lock to secure your computer or laptop to something fixed or to heavy office furniture.
Removable storage devices: Do not store client data on removable storage devices (CDs, DVDs, USB/Thumb drives, external storage disks, etc.) as these are very hard to track and secure.
Consider why you use removable storage. It is usually either for moving data between computers, or for data backup.
- For moving data from one computer to another, or to a different location (such as from your work computer to a home computer), use a secure document portal.
- For backups, you have the following options to secure it:
- Use a secure cloud based backup service, with encryption, such as CrashPlan or Carbonite.
- Use encrypted drives (see how in this article) only, so that even if the drive is stolen, the data is safe.
Only persons authorized to handle customer data should have access to the second level access control keys. And any access by others must happen under the supervision of an authorized person.
Additional layers of access control, such as locks at individual office doors within a facility, can enhance convenience and security. For instance, cleaning services hired to spruce up the front office area after hours, will be prevented from accessing individual staff offices, which may be cleaned only when a staff member is present.
Printers and Fax Machines
Sensitive data may arrive at a fax machine unannounced. If a common area printer is used, sensitive data may be printed to it but forgotten to be immediately collected. There are various easy and free methods to protect such data. Consider the following options:
Electronic Fax: Instead of using a physical fax machine, sign up for an electronic fax service (e.g. Faxage, e-fax, Nextiva, among many others). These services are typically cheaper than maintaining a spare phone line for the fax and a physical fax machine. Also, it frees your resources from the hassles of paper and ink/toner loading. Incoming faxes arrive in your secure account, with optional email notifications. You can view the faxes on your computer and print them only if necessary.
PIN access printing: Some printers and faxes can save incoming files electronically, and only print them when the user enters a security code or PIN. The expectation is that since the user must come to the printer or fax machine in person to enter the PIN, they will remove the printed material from the device immediately following the printing.
Locked office: If common area or shared printers and faxes are used, they may be placed in a locked office that is only accessible to authorized persons. Another option is to individual-level printers that users are advised to remove printouts from before leaving their desk.
Travelling with customer data is often unavoidable. You may wish to take some files or your laptop home to work over the weekend, or to use the same laptop for other purposes when traveling for a conference.
None of the facility level or second level access controls are in effect when traveling.
Hardcopy data is hard to protect during travel, but one can use reasonable precautions such as not leaving it unattended to the extent possible. If leaving it unattended:
- At a hotel: Use their secure safe to store sensitive data including paper files and your laptop.
- In a vehicle: leave it out of sight, such as hidden under a seat or in the trunk.
- In an airplane when taking a nap: Place your briefcase or file-holder under the seat in front of you rather than in the overhead bin.
For digital data, the best strategy is to use encryption. One accountant had his car stolen in February 2017 and a laptop containing customer data was in the car’s trunk. Had the laptop been encrypted, it would not become a data theft incident to be reported. The article on Digital Safeguards: Devices explains how to enable encryption on your computers and mobile devices.
The best protection against emergencies is to establish emergency procedures before the emergency arises. For instance, if you are located in a flood prone zone, create a procedure to safeguard data (e.g. move it to a higher floor) beforehand. This allows considering the security requirements and providing the means for implementing the relevant safeguards ahead of the disruption.
Your procedure should consider who all are authorized to take emergency actions, how they will get access to the data resources in order to protect/move them, and what safeguards will they use during the emergency.
As you plan your move, consider the security of the customer data during and after the move.
Can all your customer data be consolidated to a small number of computers or files that authorized persons can move on their own?
If not, what protection will be in place in case of loss of any of the data resources? Remember, even if you purchase full value coverage to protect against damages or theft during the move, that coverage only protects the physical equipment and not the data. Consider the following suggestions:
Lock and seal (e.g., with tamper evident security tape) all file cabinets that will be moved without being emptied. Number each of them. At the destination, verify that each such numbered cabinet is received and that the seals/locks are intact.
For customer files packed in boxes, tape them with tamper evident security tape on all edges. This type of tape is not expensive and shows a visible mark, text, or color if an attempt is made to remove it. Again number each box. At the destination verify box count. Check the tamper evident tape for marks or cuts.
For computers, make sure encryption is enabled (see how in Digital Safeguards: Devices) on each computer and they are powered down. Laptops are often not moved by moving companies but if they are, make sure they are shut down rather than simply placed in sleep mode. Powering down completely is necessary to obtain the full protection from encryption because otherwise, encryption keys may be present in the computer’s memory.
Maintaining security during the move will typically require that the sensitive data is packed by (or under the supervision of) authorized persons only.
At the destination, such data should be unpacked by authorized persons only. Once unpacked, data (paper files, electronic devices) should immediately be secured using the facility level and second level access control methods determined to be used at the new location.
The above steps take care of a large fraction of security risks and make your firm a less attractive target. These should be implemented by firms of all sizes, including solo practices.
You may also want to consider additional steps, especially at larger firms and if implementing security policies to pass external audit requirements. You will need to put procedures in place for protection of data in case of fires or natural disasters (e.g. floods, earthquakes, tornadoes), process to access data when a key staff member with access is unavailable (e.g. a client return needs to be amended urgently when the responsible partner or staff member is on vacation), requirements for staff background checks, and disciplinary actions for violation of adopted security practices by staff members. The exact list of such steps depends on the security standard you wish to comply with.
Use this free data security template to check-off your physical data protection safeguards.