In today’s increasingly paperless world, companies retain a vast store of customer and client data in various databases that help them conduct day-to-day business. This personal data can leave a company in a vulnerable position if it does not conduct regular privacy and security assessments. Such assessments should consider the following information and questions:
Are you protected? Does the company employ technical security measures such as firewalls, enforcing of strong password policies, terminating network access of employees who leave the company, implementation of intrusion detection systems and anti-malware protection, use of encryption and mobile encryption, retaining access logs, and a policy of deleting sensitive information when it is no longer needed? The sensitivity of the data will determine whether more robust security measures should be employed for certain databases, but companies should always know what data they have collected and where it is stored. This knowledge helps evaluate any compliance issues, how best to safeguard the data, and how to effectively respond to breaches.
Have your employees been trained to spot and respond to security issues? Technology security can only go so far; employee cybersecurity training must go hand in hand with the implementation and maintenance of IT security systems. The actions or inaction of one careless employee can cost many times more than the investment in security measures.
Are you doing what you say, and saying what you do? Privacy notices and actual practices must mirror each other. The only way to do this is to ensure that employees are following the proper procedures.
Who has access? Controlling access to data is critical. Only those employees who truly need the data to do their jobs should have access to it. Limiting access helps lessen the risk of data breaches from within the company. Review contracts with vendors and service partners who have access to your data. Their network could compromise your network. Cooperative IT security audits may be necessary.
Does your data have an expiration date? A records retention policy that provides for the safekeeping of data only while it is needed and then is archived offline or destroyed helps to manage the amount of data a company has in its possession and also minimizes the amount of data of that could be stolen.
What should you do if you’re compromised? If your company routinely collects and uses personally identifiable information, consider insurance coverage that is adequate to cover responding to a breach, remediating a breach, and the possibility of litigation. Does the company have a plan in place to respond to incidents of data breaches? Has the company exercised the plan in a real situation or a test situation and did it work the way you thought it would? The plan should include contact persons, such as your lawyer, so that if a forensics firm or other experts are needed, the company may be able to protect itself through attorney-client privilege throughout the incident response process, particularly if litigation arises.
A security breach can be catastrophic to a business. Competitive business interests, intellectual property, customer information and personally identifiable information are only some of the data at stake. Implementing and regularly reviewing your company’s IT security measures and also periodic employee cybersecurity training are crucial to protecting your business.