By becoming familiar with applicable privacy laws and regulations and by following these best practices, organizations can help avoid costly data breaches.
Currently, 46 states, along with the District of Columbia, Guam, Puerto Rico and the Virgin Islands, have data security breach laws, and some of them are broad enough to span multiple industries. For example, personal information, as defined by Massachusetts law, can be the first initial and last name of an individual coupled with a Social Security number, driver’s license number or credit card number. Based on the broad definition of personal information, this and other state laws should prompt all companies to protect customer information correctly.
Here are some practical tips for protecting data held by your organization.
Organize Your Data: Determine where personal information is stored and who has access to it. Ensure that wherever personal data is kept, it is secure and segregated from other information. All personal data that is not essential to business operations should be properly destroyed.
Establish Updated Policies and Procedures: Policies and procedures covering privacy and security should be tailored to your organization. Policies should anticipate a variety of issues that include texting, use of social media, BYOD (bring your own device), cloud storage and use of external storage devices, such as external hard drives and thumb drives. It’s important to update these policies and procedures to meet changing technology and business environments.
Encryption: Use encryption as specified by NIST, especially on portable devices that store protected information. Additionally, keep your encryption key separate from the device. (Do not, for example, put the key on the desktop.)
Computer Security Protections: Common computer security protections can go a long way toward protecting personal data. Examples include installing software patches, requiring robust passwords, requiring multiple-factor authentication for remote access and terminating dormant accounts.
Employee Training and Security: Once an organization has established policies and procedures, it is important to disseminate that the information throughout the organization. That can be accomplished through employee training on proper privacy and security procedures and training specific to breach identification and notification.
The organization also should safeguard security by limiting employee access to information that could lead to a breach. Such restraints can include selective employee access to Websites (to avoid hacker sites), limited employee access to data storage (on an as-needed basis), and establishment of an employee exit procedure (including an exit interview and separation agreement).
Unfortunately, although these useful ideas may prevent a claim against an organization for unjust enrichment, even these steps cannot immunize an organization against a data breach.
By becoming familiar with the requirements of the applicable laws and regulations and by following the steps listed above, an organization’s management can help avoid a costly data breach. Unless your organization is willing to take such steps, a lawsuit may determine that the money you appear to be saving is nothing more than unjust enrichment.