This is the second article in a three-part series aimed at assisting companies in implementing a data privacy and security program. The first article addressed the importance of adopting such a program, how to put together a data privacy and security team, cataloging your company’s data and devices, and understanding the data security risks your company faces.
Tailor data collection and retention practices to your business’s needs, and use safe disposal methods
After you have catalogued your company’s data and the devices on which it resides, carefully consider the types of data your company collects and whether each category is necessary to accomplish your company’s mission. Dispose of unnecessary data, and be sure to employ safe and secure disposal methods when you do. This means destroying electronic data so it cannot be read or reconstructed and shredding or pulverizing paper documents. If your company contracts with third parties to perform these functions, conduct due diligence about the service providers to ensure they comply with best practices, including the Disposal Rule adopted by the FTC to govern the proper disposal of consumer reports by companies that use them (e.g., lenders, employers, mortgage brokers, and debt collectors).
Going forward, avoid collecting unnecessary data and keep it only as long as necessary. According to both the FTC and the California Attorney General, best practices dictate that sensitive personal data is collected only if necessary to conduct business and retained only as long as needed. Adopt a written document and data retention policy that reflects how your company collects, uses, stores and disposes of data, and make sure it has been vetted by legal counsel, as your data retention policy may need to be adjusted from time to time to accommodate litigation holds. Many jurisdictions take the view that litigation holds must be instituted as soon as the possibility of litigation arises, which means as soon as you learn of a potential claim, a litigation hold should be instituted.
Incorporate privacy by design into your company’s products and services
The FTC and California Attorney General, among others, advocate that companies incorporate privacy principles into their products and services at the development stage. A failure to do so may result in a platform incapable of being adapted to comply with more robust privacy obligations as they are enacted.
Secure the data your company collects and retains
Implement security measures according to your risk assessment so that the most sensitive data is subject to the most advanced security protocols befitting your organization’s resources and risk profile. Employ both physical and electronic security measures tailored to your organization and the specific data it collects, transmits, uses and stores. While cybersecurity tends to focus on breaches by criminals hacking into computer systems, in 2012, a healthcare company paid $1.5 million to settle a complaint brought by the Department of Health and Human Services after it had 57 unencrypted hard drives containing private health information stolen from a storage facility. As appropriate, limit access to equipment. Lock cabinets or rooms housing servers or documents with sensitive data. Prevent unauthorized access to devices storing sensitive data.
Consider hiring a security expert to assess your company’s security protocols and lock down your company’s data. As states are increasingly adopting laws mandating specific security protocols, such as encryption, firewalls and virus software, consult legal counsel to ensure your organization complies with the laws of each relevant jurisdiction.
Implement a routine monitoring plan
A robust data privacy and security program includes monitoring remote access to systems on a regular basis to ensure sensitive data is not improperly acquired. Set up procedures to report attempts to access sensitive data. Security analysts recommend employing an intrusion detection system that will notify you of improper attempts to access electronic data. Look out for unusually large volumes of data being transmitted from your company’s system and, when they occur, investigate such incidents to ensure they are authorized. In some circumstances it might make sense to share information about unlawful attempts to access your company’s data with law enforcement or industry groups. Sharing such information with other companies might provide a better defense and prompt the development of industry-wide strategies to improve data security.
Routinely conduct physical inspections of devices that criminals could tamper with to obtain sensitive data, such as card readers, PIN pads, and computers in public areas. For example, criminals have been known to attach devices to computers in department stores to steal customer credit card data or install “skimmers” in card readers at grocery store self-checkout stations and gas station card readers. Publicly accessible equipment should thus be inspected frequently.
Keep abreast of developments in the cybersecurity arena
At least one member of your data privacy and security team should be tasked with keeping informed about data security risks. There are a number of useful resources to consult, including the FTC’s website.
Address privacy in agreements with third parties
If your company outsources functions or otherwise shares data with third parties, including vendors and service providers, your data privacy and security program must take into consideration the third parties’ data practices. Incorporate data privacy and security obligations into contracts with third parties, and require them to notify you of any breach impacting your customers. You might also want to incorporate an indemnification provision that addresses liability for damages caused by security breaches.
Carefully select and routinely train employees about data privacy and security
A data security program is only as strong as its weakest link, which, all too often, can mean your employees. Nearly any data security program can be undermined by employees’ failure to comply with best practices. Thus, it is crucial to inculcate a habit of protecting data privacy and security in your employees and contractors. Require them to use robust passwords that are changed regularly. Consider prohibiting employees from downloading software onto company computers and devices that access your company’s network. Keep abreast of scams geared to obtain sensitive data, including telephone and email phishing scams and other methods used to breach security. Educate employees regularly about the latest threats to online data security. Participation in industry groups geared at data privacy can be a beneficial way to learn of threats, which are forever evolving.
Conduct background checks before hiring employees who will have access to sensitive information. Adopt a written policy regarding the handling of sensitive data, specify precisely the data to which it applies, and have each employee sign an agreement to follow the policy and protect the confidentiality and security of sensitive data. Make it clear that employees who misuse sensitive data can and will be fired. Adopt and use uniformly a procedure to terminate employees’ access to data upon termination of employment.
Require employees to report immediately any data security breaches, including loss of mobile devices. Prevent lost or stolen devices from accessing your network. Consider installing software that will remotely delete the contents of a missing device. While this may seem drastic, the frequency with which smartphones and tablets are stolen may make it necessary for your data privacy and security program to be considered reasonable.
Consider curtailing the BYOD trend
The “bring your own device” to work trend may be at odds with your company’s security measures. If your company permits its employees to use personal devices for work (e.g., smartphones, tablets, laptops), you must include in your data privacy and security program policies addressing the use of personal devices. For example, you may want to require employees to download antivirus protection and security programs that permit your IT personnel to disable an employee’s device in the event it is lost or stolen or the employee is terminated. You might want to require that such devices access your company’s network only through a secure connection. Your data privacy and security program should also consider the implications of employee privacy as employees are likely to store on their devices personal information and pictures, videos, etc., that may be lost if the device is disabled. You may want to consult with legal counsel about requiring employees to sign a robust consent and waiver before permitting them to use their personal devices for work.