With the New Year well under way, the newly-resolute have come and gone, and the gyms and yoga studios are once again the realm of the year-round regulars. This column is dedicated to those who eschewed resolutions altogether (on the theory that one doesn’t need a special day to start trying to cultivate better habits) and to those — I suspect they are few — who set realistic, attainable goals and have stuck with them. In that spirit, I offer these suggestions for improving privacy practices in 2014. I’ve attempted to make these both scalable (so you can start small) and relatively self-contained (so you can implement them without having to undertake significant changes to policies and practices that are already in place). Obviously, these general tips may not be appropriate for every situation, and you should seek appropriate legal advice before you implement them in your organization.
1. Check your contracts
Contracts with vendors, consultants, independent contractors, joint venturers, service providers and others should impose affirmative obligations to use best practices in collecting, storing, using, transmitting, and destroying any personally identifying information (PII) to which the contracting party will or may have access (including PII of your customers, employees, and third parties). Ideally, these obligations are backed up through indemnification obligations. If your organization has written work-flow procedures for contracting, review them to make sure they address privacy obligations. If you have existing contracts with vendors (who have access to PII) that don’t address data security, consider amending. The Massachusetts data security regulations provide a helpful starting point for drafting contractual data security requirements.
2. Have an up-to-date data retention/destruction policy, and define a compliance process
As data storage gets cheaper and cheaper, many companies are implementing, often without particularly intending to, de facto data retention policies of “keep as much as possible for as long as possible.” From a privacy standpoint, this increases the opportunity for confidential information (including PII) to be misplaced, disclosed or misappropriated. A good data retention/destruction policy sets a retention period, on a very granular level, for every type of document or data the company holds, digital, paper or otherwise. A great data retention policy describes who is responsible for its execution and how execution will be done, so that data destruction/deletion becomes an integrated part of operations. Although clear and effective data destruction procedures can take time to design and implement, there’s a significant long-term benefit to be gained — and not just in terms of privacy compliance — from imposing constraints on what could otherwise be an infinitely-growing collection of data and documents. If you already have a data retention/destruction policy, take some time this year to review it and consider whether it needs updating, or spot-check compliance for various document types.
3. Have a crisis plan
Every organization that holds PII of any sort — including not just consumer PII but employee PII — should have a well-circulated crisis management plan to be implemented in the event of an actual or suspected breach. Do your employees know whom to contact if they suspect that PII has been (or may have been) lost, stolen, misplaced or improperly accessed? The circumstances that can give rise to such a suspicion are almost infinitely varied — someone loses a flash drive, or reports that a laptop has been stolen, or notices that a file room has been left unlocked over the weekend and that files containing consumer credit card information seem to be missing. Or, at the other extreme, the IT department reports that the server holding customer credit card numbers has been hacked. In each of these situations, the responsibility for assessing and managing the situation should be defined and understood in advance. Because fixing the situation might require input from legal, marketing, operations, maintenance, customer service and other departments, it may not be apparent when the crisis arises who is in charge of the incident as a whole. Once you have a plan in place, consider conducting drills to test whether the response is as planned.
4. Help your employees with their own data
All of the firewalls in the world won’t help if your employees keep a list of their passwords on an unsecured home computer or take customer files home and leave them in unsecured locations. The security of your company’s data ultimately begins with your employees, and that includes the (perhaps unauthorized) use, access or storage of company information or password information on home computers and personal devices. For employees who have access to confidential company information and/or PII, consider adding security-directed benefits such as (free or subsidized) password management apps; document shredding (for personal documents); firewall and antivirus software for home computers and laptops; destruction of old hard drives or computers; encryption software for home computers, laptops, and flash drives; and home network security instruction or consulting. The more you encourage your employees to treat their own data and networks as needing protection, the more protected your company data will ultimately be.
5. Remember that tangible things need protection too
With so much coverage in the news media of hacking incident, where data is accessed via the Internet, it can be easy to forget that data can be stolen in the physical world too — whether in paper files, or on a flash drive or laptop, or from a dumpster. Is there a closet where your IT department stores old unwiped hard drives? Do you know what’s on those hard drives? Take a moment to think about the physical security of your files and computers, from the time the information is collected until it is destroyed or transferred to someone else.