By Linda Coniglio, Director of Privacy and Information Governance
Most organizations keep sensitive personal data such as names, Social Security numbers, credit card, or other account data in unstructured data sources — considered by many the least protected data sources in an organization. This sensitive personal data is often necessary to fill orders, meet payroll, or perform other business functions. However, if sensitive data falls into the wrong hands, it could lead to fraud; identity theft; or worse yet, loss of consumer trust in the organization. If the organization must defend itself against a security breach lawsuit, it could be an expensive endeavor. According to research compiled by Ponemon Institute and IBM Security, the cost per file containing sensitive personal information is $180. After conducting several file share cleanup projects, Innovative Driven finds the average number of files containing sensitive data per terabyte is 20,000. Doing the math, that would mean a $3.6 million expense if just one terabyte was compromised.
The Federal Trade Commission offers guidance for building a sound data security plan, and it’s based on 5 key principles:
- Take Stock – Know what personal information the organization has and in which systems it is stored. Determining the best way to secure information can only be accomplished with an understanding of how personal information is stored, how it moves through the business, who has access to it, and with whom it is shared. Yes, this first principle strongly suggests creating a Data Map, especially an automated one, is a must. Start with functional areas most known for collecting and using personal data such as the sales department, human resources, accounting, or information technology. Because there are laws that require organizations to keep sensitive data secure, get a complete picture of:
- Who sends sensitive personal information to your business
- How your business receives personal information
- What kind of information you collect at each entry point
- Where you keep the information you collect at each entry point
- Scale Down – Keep only what you need for your business. It there isn’t a legitimate business need for sensitive personal information, don’t keep it. Better yet, don’t even collect it. If there is a legitimate business need for the information, keep it but only for as long as it’s necessary for the purpose for which it was collected. If sensitive personal information isn’t in systems, it can’t be hacked. If information must be kept for business purposes or to comply with laws, develop a written records retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely when no longer needed.
- Lock It – Protect the information you keep. The most effective data security plans deal with four key elements:
- Physical security – Many data breaches happen the old-fashioned way through lost or stolen paper documents or by employees accessing systems without a need to know. Often the best defense is a locked door or cabinet, up-to-date permissions, or an alert employee who says something.
- Electronic security – Computer or system security isn’t just the job of IT. Everyone should understand the vulnerabilities of systems and follow best practices identified for general network security; authentication; device security such as laptops, smartphones, tablets, digital copiers, or backups; or detecting breaches. Check out a Business Guidance Resource from the FTC that provides many recommendations for protecting personal information. Sound security is no accident.
- Employee training – Your security plan is only as strong as the employees who implement it. Time taken to explain security rules and policies to all employees is time well spent. In addition, train employees to spot security vulnerabilities. To emphasize the importance the organization places on meaningful data security practices, periodic training is critical. A well-trained workforce is the best defense against identity theft and data breaches.
- Security practices of contractors and service providers – In addition to employees, the organization’s security practices depend on contractors and service providers. Before outsourcing any business functions, compare the company’s security practices to your own. Put security expectations in written contracts and verify compliance.
- Pitch it – Properly dispose of what you no longer need. What may be ROT (redundant, outdated, trivial) to you can be treasures for a hacker. To properly dispose of sensitive personal information, ensure it cannot be read or reconstructed. Disposal practices should be reasonable but appropriate to prevent unauthorized access or use. And remember to make sure employees working from home follow the same procedures for disposing of sensitive documents, old computers, and portable storage devices.
- Plan Ahead – Create a plan to respond to security incidents. Protecting data goes a long way towards preventing a security breach; however, a breach could still occur. To reduce its impact on the business, your employees, and your customers:
- Create an incident response plan and designate a senior member of the organization to coordinate and implement it.
- Immediately disconnect a system from the network if it has been compromised and take steps to close vulnerabilities to personal information.
- Consider whom to notify, both inside and outside the organization, if an incident occurs.
There’s no one-size-fits-all approach to data security. What’s reasonable for your organization depends upon the nature of your business and the kind and amount of sensitive personal information collected. Keep in mind, some of the most effective security measures can be implemented with little or no cost – for example, using strong passwords, keeping paper and electronic content locked up, regularly training employees.
Some businesses have the expertise in-house to implement an appropriate data security plan. Others may find it helpful to hire an experienced service provider. Regardless of the size or nature of your business, the above FTC principles go a long way toward keeping your data secure. It’s cheaper in the long run to invest in privacy compliance by securing sensitive personal information than to lose the trust of customers or face consequences such as legal actions of a data breach.
Contact a Privacy Expert Today