What do you do when you learn that your company’s server has been hacked and untold quantities of data stolen? What do you do when you learn of a glitch in an app your company sells that gives malware easy access to data on devices on which the app has been loaded? What do you do when a company laptop or mobile device has been stolen? What do you do when an employee receives unsolicited email, clicks on a link in the email, and installs malware on a company computer?
If your organization has a website, collects, stores, or processes sensitive data, or uses smartphones, tablets, email, social media, cloud-based services, or laptops, and it lacks a plan to address scenarios such as these, then it is time to remedy the lapse by developing a data privacy and security program. While observers recognize it is nearly impossible to create a digital Fort Knox impervious to breach, it is clear that taking substantial, meaningful steps to assess and protect sensitive data will go a long way toward minimizing risk of loss and liability for data breaches.
To date, the Federal Trade Commission (FTC) has brought dozens of enforcement actions in a variety of industries due to inadequate data privacy and security measures, and more are on the way. No company that handles personal sensitive information is exempt from the FTC’s reach. In some cases, the FTC has sought fines in excess of $1 million. Nearly all the cases settled, often with the target company paying a fine and being required to adopt security measures and undergo security audits for as long as twenty years. Moreover, states with laws similar to the FTC Act and plaintiffs’ attorneys are also jumping into the fray. Knowledgeable legal observers uniformly agree that legal action resulting from inadequate data security is on the rise, and companies must take steps to minimize their exposure.
What is reasonable, however, is highly context specific. At minimum, reasonableness mandates that companies take a thorough and deliberate approach to data security. Your company should be able to document its rationale for adopting specific procedures and demonstrate that it thought carefully about how best to protect the data it obtains.
This is the first article in a three-part series aimed to assist companies in implementing a data privacy and security program.
Identify a team to take responsibility for data privacy and security
While the process of creating an effective data privacy and security program will vary from company to company based on innumerable variables, all organizations will need to identify at the outset which employees to involve in the process. Maybe your organization is large enough to employ a full-time data security officer who can spearhead the project. Maybe you will need to hire a consultant to advise and lead a team of employees from the marketing, legal, customer service, sales, IT, human resources or other departments within your organization. The FDIC, for example, recommends that financial institutions involve their boards of directors in establishing privacy plans to ensure the commitment to data privacy and security extends throughout the organization.
Whatever your organization’s size, industry, and expertise, be sure to appoint employees with good communication skills and ethics, as they will need both to gather complete information about your organization’s practices and to explain your cybersecurity policy to third parties and employees, including the inevitable naysayers who misperceive the importance of safeguarding data. Moreover, those employees may be called upon someday to defend your company’s practices before government agencies or in class action litigation after a breach. Thus, their ability to gain the trust of skeptical third parties and to communicate your company’s rationales in an effective manner should influence the composition of your data privacy and security team. Additionally, since legal and technical knowledge are essential to an effective data privacy and security program, involve your legal counsel and IT experts.
Catalog your company’s data
Once your team is in place, the first step is to identify the data within your organization, the devices on which it resides (including computers, laptops, smartphones, tablets, servers, digital copiers, flash drives, etc.), the persons who have access to it, how it is collected, and how it is used. This will require a careful inventory, possibly including interviewing employees about their data practices. Catalog all equipment, where it is located, and who has use of and access to it. Map the regular flow of data within, into, and out of your organization so you can better identify irregularities.
Identify the types of data that are collected. Different types of data might be subject to different legal obligations. Avoid recording or using social security numbers unless necessary for tax purposes. And do not forget to include your own employees’ data when cataloging and protecting sensitive data.
Evaluate the unique risks to your organization and its data
Once you have a catalog of your company’s data and the devices on which it is collected, stored, transmitted, or used, evaluate the risk of data loss based on both the type of device and the type of data, including the form in which the data is collected, transmitted, and stored (i.e., whether encrypted, truncated, etc.). Assess how vulnerable each device is to known or reasonably foreseeable attacks or other threats. Identify the most vulnerable or high-risk targets that could result in the greatest harm if a breach occurred. Keep in mind there is no one-size-fits-all approach to data security. According to the FTC, a reasonable risk assessment could range from a knowledgeable employee running off-the-shelf security software to hiring a security professional to conduct a full-scale audit. The National Institute of Standards and Technology published in September 2012 its Guide for Conducting Risk Assessments, which is available on its website.
The next article in this series will address your company’s data collection and retention practices and the importance of adopting adequate security measures to protect your company’s data.