Every business, no matter how large or how small, receives private data or information from employees, vendors and customers. It’s the business owner’s responsibility to keep this information private and protected. If private information is leaked or falls into the wrong hands, a business could be subject to major liabilities, penalties and embarrassment. The monetary and reputational costs could be staggering.
“It’s no understatement to say that every business needs to have a plan in place for keeping information safe and secure,” says Matthew Kelly, an intellectual property attorney and certified information privacy professional at Semanoff, Ormsby, Greenberg & Torchia, LLC. “Businesses also need to know what to do in the event of a breach.”
Smart Business spoke with Kelly about some of the ways businesses can protect sensitive information and how to best respond if that information is ever compromised.
How should a business begin developing an information management plan?
The first step is to identify what kind of information the business is receiving and whether there are any industry-specific laws that come into play. For example, the health care industry collects personal health information of patients and is subject to federal laws known as HIPAA and HITECH. There are also specific federal laws that cover the financial services industry, the credit card industry, the telecommunications industry, the marketing industry and laws that cover educational institutions. These laws will outline what is required or prohibited in the collection and use of information specific to the businesses in those industries.
Once the legal requirements are identified, business owners should assess how to best handle sensitive information within their organization in a way that’s cost-effective and administratively efficient. Encrypting data, using a dedicated server, limiting access to certain employees and creating a secure method of disposal of information are just some of the ways that a business can protect the data it collects.
Are there risks in allowing employees to use their personal devices at work?
Each employee’s device increases the possibility of a data breach if it is lost, stolen or hacked. It also increases the risk of theft or copying of information by employees. To addresses these issues, businesses are increasingly implementing Bring Your Own Device (BYOD) policies.
A good BYOD policy will communicate clearly how an employee’s device is to be used in the workplace and how company data is to be handled on those devices. At a minimum, each device should be password protected so that if it does get lost or stolen, a third party cannot access the data.
Some companies prohibit the taking of photographs at the workplace, especially when dealing with proprietary technology or trade secrets. Employees should also be made aware that any business information stored on those devices is company property, and that such information will be returned to the company or deleted when an employee leaves the company or is terminated.
How should a company proceed if there is a data breach?
Data breaches can be very damaging to a company’s reputation and very embarrassing. No company wants to let down its customers or appear incompetent in the handling of sensitive information. For this reason, most states have adopted laws requiring companies to notify customers, and sometimes law enforcement, as soon as commercially possible when data breaches of a certain nature occur.
For most states, the notification requirements will not be triggered unless there has been a material breach of personal information, such as a person’s name and social security number. Businesses that suspect a breach are expected to act quickly to determine whether a breach has actually occurred, the identity of the customers affected and how to secure the exposed data to prevent further damage.
Insights Legal Affairs is brought to you by Semanoff Ormsby Greenberg & Torchia, LLC