Self-storage businesses accumulate a variety of personal information about customers, including drivers license, Social Security and credit card numbers, addresses and phone numbers. Keeping this data poses a potential problem: If we dont take steps to protect it, we risk theft or loss, which could prove disastrous for our customers and businesses. If youve ever had your identity stolen or know someone who has, then you know how terrible an experience it is for the victim.

When a customer shares identification with us, its an expression of trust. We have a responsibility to live up to that trust and do everything possible to protect that information. Besides risks to customers, what about your business? You could hold financial liability if stolen identities are used, criminal liability for failure to report the loss of identity information (in most states), loss of revenue if stolen identities are used in rentals, negative publicity as cases of identity theft are always big news stories, and loss of your credit card merchant account, eliminating your ability to accept credit cards.

I'm not a legal or insurance professional, but I believe general liability policies for self-storage facilities do not normally include any protection against these risks. What is required is a special type of Errors and Omissions Policy specifically protecting against these risks. I recommend checking with your insurance professional about this.

First Steps

Create a Comprehensive Privacy Policy that lists all procedures you must follow to reduce identity loss, and describes the actions to be taken if it occurs. If you already have a privacy policy, review it to make sure it is up to date. Look these over annually to assure compliance with any new laws or regulations.

Visit the Inside Self Storage website (www.insideselfstorage.com) and do a search for Privacy Policy in Articles on Demand. I know of at least two articlesone by Jim Chiswell and another by Scott Zuckerthat offer valuable information on this topic.

Your Privacy Policy must outline steps to protect the information in your custody. This includes protecting computer access by using passwords for entry, and relying on back-up disks and jump drives. Also, secure hardcopies in locked file cabinets.

Create policies and procedures to destroy unneeded information, including shredding paper information (such as photocopies of driver's licenses) and deleting personal information from computer records (Social Security numbers, for example).

Most states have passed laws regulating how and when business owners must report the loss-of-identity information to the authorities. Check to see if your state has passed such a law by searching the Internet for identity theft law with your states name tagged at the end.

Strive to prevent the use of stolen identity in the rental of units by taking reasonable steps to verify customer identities, training staff to carefully compare photos and physical descriptions with the actual person. If necessary, take appropriate action when a discrepancy is suspected (such as asking for another form of identification).

Credit Cards

If you accept credit cards, youre required to comply with the rules and regulations issued by the primary card-processing companies: VISA, MasterCard, American Express and Discover. As a group, they have created the Payment Card Industry Data Security Standard. In addition, each company has its own set of rules, but many merchants use Visas rules, referred to as the Cardholder Information Security Program (CISP). You can view them at http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_
merchants.html?it=c|/business/accepting_visa/ops_risk_management/cisp.html|Merchants . 

CISP sets the standards that merchants must follow to guard customers information. Up until now, Visa and other companies have been lax in determining whether merchants are following requirements, but this is changing and it will soon be common for companies to be audited by the credit card companies. Unfortunately, most merchants dont know these requirements and frequently break the rules.

One of the most common violations is the practice of photocopying a card and/or saving the three- or four-digit CVV number. Its against the rules to store this number anywhere; it may only be used for an immediate transaction.

If you currently have this information, destroy it. If you use it regularlyfor recurring payments as an exampleto benefit from a better rate, be aware that youre in violation and are risking your merchant status. Delete these numbers from your computer as well.

Visit the CISP site listed above and check out individual card companies for more information regarding credit card rules:

Officially Speaking

The United States Cyber Consequences Unit (US-CCU) is a government agency that deals with business policies to protect customers personal data. It has published a report, the Cyber Security Checklist (http://www.selfstorage.org/PDF/US-CCU-Cyber-SecurityCheckList2007.pdf).

The checklist contains information that applies to all businesses. While reading it, keep in mind some details do not apply to small businesses. The section on operator actions applies to just about all businesses, self-storage included. Use the checklist to create your Privacy Policy.

Address the appropriate steps in your Privacy Policy, train staff regularly on data protection and make sure everyone at your site follows all procedures carefully. Only a well-trained staff can ensure your self-storage facility is taking all the proper steps to protect the information customers have entrusted to you. 

Michael Richards is the president and founder of HI-TECH Smart Systems Inc., which has provided management software to the self-storage industry for more than 20 years. The companys flagship product, RentPlus, is in use in thousands of facilities in more than 20 countries. Mr. Richards has been involved in the self-storage industry since 1980. For more information, call 800.551.8324; visit www.hitechsoftware.com.