If you don't have a legitimate business need for sensitive personally identifying information, don't keep it. In fact, don’t even collect it. If you have a legitimate business need for the information, keep it only as long as it's necessary.

• Use Social Security numbers only for required and lawful purposes—like reporting employee taxes. Don't use Social Security numbers unnecessarily—for example, as an employee or customer identification number, or because you've always done it.
• The law requires you to shorten—or truncate—the electronically printed credit and debit card receipts you give your customers. You may include no more than the last five digits of the card number, and you must delete the expiration date.
• Don't keep customer credit card information unless you have a business need for it. For example, don’t retain the account number and expiration date unless you have an essential business need to do so. Keeping this information—or keeping it longer than necessary— raises the risk that the information could be used to commit fraud or identity theft.
• Check the default settings on your software that reads customers'credit card numbers and processes the transactions. Sometimes it's preset to keep information permanently. Change the default setting to make sure you're not keeping information you don't need.
• If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely when you no longer need it.