Getting a handle on technologies that are transforming businesses is critical to understanding how your company should manage privacy. New devices containing personal information that are used both at home and at the office are blurring the line between the two. The same is true of devices that are networked, or “smart” and interactive. Their use may result in the unintended transfer of personal information to employers, service providers, customers, vendors or others.
Personal information may also be held in a host of repositories on the web, and many of those sites provide new ways to connect and interact with such information. The result: more personal information in more places under the control of more entities. For example, while cloud computing affords new economies and efficiencies to information processing, it also spreads the custody and control over personal information well beyond the company’s traditional boundaries. These technologies are not only changing business, they are changing who and what has custody and control over personal information. Therefore, they are also changing the way that companies manage privacy.
The loss, theft or breach of personal information can damage a company’s business and reputation. Lost productivity, loss of customer trust and confidence, lost revenue and media scrutiny are a few of the consequences when there is a data breach or loss of personal information. In addition, mounting government and industry regulations requiring policies and procedures that ensure the security of personal information should put privacy concerns at the top of the company’s to-do list.
While there is no way to absolutely prevent a data breach, the company can mitigate its risk of a data breach by understanding data security, privacy and the protection of personal information. As an example, knowing how identity theft takes place, the impact it can have on your company and how the stolen information is used is critical in preventing identity theft. With that in mind, the following list (which is by no means exhaustive) provides critical areas management should consider when developing a privacy risk management plan.
Establishing a Technology and Risk Assessment Policy
- Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on your company’s critical information assets must be the first—and is perhaps the most important—step when tackling privacy risk.
- A Written Privacy Risk Management Program. Even if adopting a written privacy risk management program to protect personal information is not an express statutory or regulatory mandate in your state, having one is critical to addressing privacy risk. Not only will such a program better position the company when defending claims related to a data breach, but it will help the company manage and safeguard critical information. In addition, such a program can be advertised as a competitive advantage.
- Training. Training is a necessary component of any privacy risk management plan and a required element under most federal and state laws that address data security. For example, employees should be trained to understand the risks to private information they carry around in mobile phones, electronic tablets, laptops and other electronic devices used for business purposes and how to safeguard such information.
Implementing Technology and Risk Assessment Policy
- Vendors/Business Partners. Your organization may be especially vigilant about screening employees and performing background checks. Be certain that background screening is being conducted by the companies you contract with as their employees will have access to your physical—and sometimes electronic—locations where personal information may be accessed. If the company entrusts sensitive information to such vendors, management needs to take steps to ensure the vendor has implemented appropriate safeguards to protect the information.
- Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with privacy risk management and, specifically, data breach response. This kind of coverage should be a part of management’s considerations when establishing a privacy risk management plan.
- Policies and Procedures to Warn of Potential Breaches. The company should have policies and procedures designed to detect, prevent and mitigate instances of identity theft. In other words, the company should have a process in place to identify circumstances that indicate incidents of identity theft could be occurring and then take steps to prevent the identity theft or mitigate its effects.
- Carefully Integrating New Technologies. As businesses look for new technologies to increase productivity, cut costs, and gain a competitive advantage, how those technologies address privacy risk and data breaches should be a factor in the decision whether to adopt the technology.
Responding to a Security Breach
- Plan for Responding to a Breach Notification. Even the best-run companies may suffer from a breach of private information. Thus, the need for effective and timely management of such breaches. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Delays in notification viewed as unreasonable could trigger an inquiry by the state’s Attorney General or, in the case of HIPAA protected health information, the Office of Civil Rights. Management should develop a formal, effective and repeatable plan to determine the nature of a breach and the steps to take in response to it. In addition, management should ensure that staff is well trained so that they know what might constitute a breach that warrants the attention of management. The absence of such a plan may open the company up to further damage than is warranted by a situation.
Technology and Data Security Requires Vigilance
Managing data and ensuring its privacy, security and integrity is critical for businesses and is increasingly becoming the subject of broad, complex regulation. It seems to be only a matter of time before U.S. companies are subject to a national law requiring the protection of personal information. Therefore, management should continue to monitor the status of new and proposed legislation to remain compliant and competitive.
For more information, please contact Kristen L. Fitzpatrick, CPA, Principal.