Sensitive, personally identifiable information (PII) such as names, account numbers, trading and other financial information are collected and used for virtually every customer and internal corporate function: HR; marketing; sales; customer support; technical support; product development; investor relations; regulatory compliance … the list goes on. Companies also handle sensitive data related to intellectual property (IP) and trade secrets that must be protected.
Because the risks are high, companies should put procedures in place to minimize the likelihood of data breaches and to mitigate the damage if a release occurs. In this article, we identify five steps every business should take to ensure that it is facing and appropriately managing data-related risks.
The trend toward cloud computing, use of third-party application service providers, and outsourcing functions that can include payroll, benefits, marketing and more, multiply the potential vulnerabilities, and up the ante when it comes to managing data-related risk.
Recent, high-profile cases illustrate all too vividly the financial, legal, and reputational damage that can occur when sensitive data goes astray. These examples highlight that companies that experience the unauthorized release of sensitive data (accidentally or otherwise) potentially face at least two types of claims: claims by the individuals whose sensitive information has been exposed, and indemnification or damages claims by creditors or other companies that may have incurred losses as a result of the breach.
In this area, more than most, an ounce of prevention can truly be worth a pound of cure.
Know what you’ve got – Among the first steps every company should take in evaluating their information security is to catalog every place where the organization acquires, uses or stores potentially sensitive data. Common data portals include the company website (are there contact, registration, or application forms online); the employment process; and information collected for marketing and sales purposes.
Find out who is in charge of each type of information, and who has access to it. Is information shared with outside vendors or other third parties? Determine what physical and technological safeguards are in place to protect sensitive data. Make plans to stop collecting and destroy PII that the company doesn’t actually need.
Know your obligations – To protect employees and consumers, a host of federal and state authorities have implemented an alphabet soup of privacy and data security laws. Depending on the kinds of data your company handles, acts with acronyms such as CAN-SPAM, COPPA, ECPA, FACTA, FCRA, GLBA, or the USA Patriot Act may apply. Private standards may also be applicable by contract. And, of course, both the FTC and state attorneys general have become increasingly aggressive in their enforcement of laws prohibiting “unfair and deceptive trade practices” against companies that say one thing about how they will use information they collect, then do another.
Be aware, also, that it is increasingly common for the government to request information about individuals from companies who have such information in their possession. Not every government request is valid, particularly if the request is not supported by a proper subpoena. Any request should be carefully vetted, as a phone companies very publicly learned when they cooperated with government requests for customer information in the post-9/11 period.
Know your partners – If your company handles sensitive data for others, or relies on outside vendors for functions that require the company to share its data, it is crucial to know exactly how each and every vendor agreement addresses privacy, confidentiality, data protection, and responsibility in the event of a breach.
Know whether you’re covered – Faced with a data breach that potentially could result in disclosures of private information, companies may look to their insurance policies for protection from resulting claims, costs, and liabilities. As a result, before a data breach occurs, companies should take aggressive steps to ensure that they have the coverage that they need. In particular, companies should conduct an audit of their insurance portfolios to identify potential gaps.
Have a plan – First, an ongoing plan to govern how data is collected, handled, stored, shared, and accessed day-to-day. And, second, a plan to govern how the company will respond if the worst occurs and, despite best efforts, sensitive data is lost or stolen.
The first plan will include external privacy and confidentiality policies, and internal policies to ensure data protection. Second, the company should put into place a plan to detect and respond to any unauthorized access to, loss or breach of sensitive data. This plan should address who is responsible in the first instance for being on the lookout for data incidents, including computer hacking; loss of physical files, devices or drives containing sensitive data; and misuse of data by company employees or vendors. The plan also should spell out how, once a breach is detected, the company will respond, from an IT, legal, insurance, and public relations perspective.
While the parameters of responsibility for data protection remain uncertain and in flux, it is crystal clear that the costs and liabilities associated with failing to protect sensitive data are on the rise. By following these five risk management steps, companies can help reduce the risk of adverse data incidents, and position themselves to mitigate the damage if an incident occurs.
L. Elise Dieterich is a partner in the Regulated Industries practice in Sullivan and Worcester’s our Washington, D.C. office, and advises clients on a wide range of matters affected by government regulation. With over two decades in practice, Ms. Dieterich has represented clients in matters involving numerous state public utility commissions and federal agencies including the FCC, FTC, Department of Commerce, Department of Justice, Department of Energy, and EPA, as well as in litigation and mediation.
Ronald Whitworth is an associate in the Privacy & Data Security and Telecommunications Groups in our Washington D.C. office. Mr. Whitworth is a Certified Information Privacy Professional (CIPP), as certified by the International Association of Privacy Professionals (IAPP), and handles a wide variety of state, U.S., and international privacy and data security matters for S&W’s clients.