• Does the organization have policies and procedures for safeguarding personally identifiable information when transported outside of the office by portable computers?
• For employees who work at home, including temporary and contract staff, does the organization have policies, procedures and training programs which emphasize responsible information-handling practices?
• Is the network connection between home and work secure?

J. Social Security Numbers (SSNs) and the Use of Personal Identifiers
Case: The supervisor of a unit within a large state government agency sent an electronic mail message to every employee, listing all their names and Social Security numbers, disregarding the privacy and fraud implications of releasing that information.

The use of SSNs for record keeping purposes and personal identifiers should be strongly discouraged, and preferably prohibited. Proliferation of SSNs puts customers and employees at risk of allowing unscrupulous persons to obtain the number for fraudulent purposes, for example, gaining access to one''s banking and credit accounts.

• If the organization uses the SSN as a record keeping number, does it offer its clients and/or employees the option of using an alternative number?
• Does the organization have a strict policy prohibiting the display of SSNs on any documents that are widely seen by others, for example, time cards, parking permits, employee rosters and mailing labels?
• If the organization requires an access code for certain transactions (i.e., ATM cards, security system codes, building access cards, passwords), does it prohibit the use of SSNs, or any part of the SSN such as the last 4 digits, as personal identifier numbers?

K. List Security Guidelines
Case: Before departing the singles dating service office, a fired employee stole a computer diskette containing the supposedly confidential mailing list of all its clients. He sold the list to other dating services in the area.

• Does your organization maintain information on clients, customers, potential customers, users, and/or members? Does your organization make its lists available to other entities by selling, renting, or exchanging them? If so, the Direct Marketing Association (DMA) recommends that the following guidelines be practiced. These are adapted from DMA''s "Fair Information Practices Checklist." The use of the word "customer" below can be altered to fit your specific situation; it can apply to "clients," "members" and "users" alike.

Opt-out program

• Does your organization offer its customers name removal options? Are they effectively communicated?
• Do you subscribe to the DMA''s name removal services, the Mail Preference Service (MPS) and/or its Telephone Preference Service (TPS)? Are MPS and TPS names removed prior to list rentals or exchanges?