In Data Privacy and Security…We Trust?
The digital revolution has ushered us into the information age. On a daily basis, we entrust our personal information, from the mundane to the highly sensitive, to a variety of recipients. For the most part, this free flow of information adds to our quality of life. Check-out lines are effortless; rarely do we even have to sign. We can enroll in a yoga class, deposit a check, and pay our utility bill, all from our smart phone.Want to simultaneously track your spending, the current balance of your checking account, mortgage, credit cards, as well as your 401k, all while lounging by the pool? There’s an app for that.
This free flow of information comes with an expectation that those who receive our information will safeguard the privacy and security of the information.
But what if “we” are one of those who are entrusted with information? I am. Attorneys, accountants, physicians, banks, retailers, credit card companies, data storage companies, service providers, the list goes on and on of those who receive sensitive information every day. We all recognize the expectation and value of protecting the privacy and security of the information we are entrusted with. And if anyone doesn’t, they should!
We care because we value our clients and our reputation. Laws and regulations may mandate special treatment of certain financial and health information. And frankly, it matters to our bottom line. A large retailer saw net earnings fall following the December 19, 2013 announcement of a wide spread data breach. You may have seen something about this mentioned in the paper….and on the evening news….and in stories of affected individuals flooding your social media feeds. Not only will sales likely continue to be impacted for a time, but this retailer will also have ongoing costs associated with credit monitoring, investigation, and litigation.
But you don’t have to be a Fortune 500 company to experience a data breach. Very few businesses have large IT departments that can provide 24-hour service with a matching data security budget to secure every server, laptop, smart phone and mobile device. This makes smaller businesses very attractive to outside attackers.
We need to recognize expectations and also our limitations. We are human, technology will fail, criminals will develop new and more innovative ways to attack and infiltrate our systems. What can we do? A lot, actually.
Don’t wait for an attack or a government audit to develop a data privacy and security plan. Review your current technology and how you handle and store information to identify weaknesses. Make sure your software is up to date and continues to receive ongoing support, including updated security patches. Update company policies to mitigate the risk that a data breach could result from relaxed handling and storage of sensitive information. Identify key individuals within the company who should be alerted if a breach is known or suspected, and develop an investigation and response plan if and when such an event occurs.
Educate yourselves and employees. A company policy is only as good as its implementation. Reinforce expectations on an ongoing basis, whether through day-to-day interactions, regularly scheduled meetings, company bulletins, or lunch and learn programs.
Perform ongoing internal audits on your system, including your technological capabilities, existing policies, and your data breach response plan. Encourage employees who believe they may have recognized a weakness in security or discovered a data breach to report their concerns to the company.
Communicate within the company to raise awareness of the importance of data privacy and security. If you do experience a data breach, work with your trusted advisors to communicate, as appropriate, the nature of the breach and your response. Do not assume that stopping an ongoing breach and uncovering no evidence of harm is as far as you have to go.
Stay updated on significant changes in technology. Recognize that laws and regulations will continue to catch up with the reality of today’s technology, and this will in all likelihood result in increased duties and reporting requirements for those who have access to sensitive information. Importantly, learn from your experiences and learn from the experiences of others.
This is by no means a step-by-step formula. A successful data privacy and security plan and data breach response plan will involve many of these concepts happening simultaneously.