Data privacy is making headlines — for all the wrong reasons. Data privacy breaches are becoming regular events, while federal and state governments are imposing costly penalties on businesses that fail to take adequate steps to protect consumer data. A comprehensive data protection audit can improve how a company safeguards sensitive information, ranging from a company’s proprietary intellectual capital to its customers’ social security numbers. But how do you know if you need to hire a consultant to help you with these initiatives?
You do not have a clear idea of the extent you are subject to state or federal data security laws/rules. State and federal regulators have responded to the information age by enacting laws that require businesses to protect against unauthorized access to employee, customer and patient information. A consultation is critical if you don’t know whether or to what extent you are subject to federal industry-specific requirements such as Gramm Leach Bliley (banks and lenders), HIPAA/HITECH (health care providers) and “Red Flag” rules (creditors, including utilities and auto dealers). This is even more true for the Massachusetts data rules, which are the toughest in the entire country and impose significant and nation-leading requirements to all Massachusetts businesses and many non-Massachusetts businesses with employees living in-state or handle credit card, debit card and banking orders involving Massachusetts residents.
You prepared an Information Technology (“IT”)-focused written information security program (“WISP”) without addressing essential non-IT elements. Many tech savvy businesses responded to the data revolution by implementing WISPs focused exclusively on IT protections such as firewalls, virus protections and controlling access to sensitive information. A sound WISP incudes substantial non-IT components, including physical security, control over paper records, document and electronic record destruction, data-related personnel policies and management of remote devices and smart phones, among other topics.
You are in a small business or medium-sized family business with only part-time IT assistance. On the opposite extreme, many smaller or family businesses underinvest in IT and, as a result, fail to provide adequate defenses against the hacking and external network incursions that have been at the heart of so many recent security breach cases. Failure to make smart technology purchases, pay close attention to installing and maintaining firewalls, virus protection software installation and updates, and avoid of key points of weakness (insecure or abandoned wi-fi networks, server ports left open following maintenance, failure to lockdown smart copier hard drives at contract end, failure to employ disk encryption for laptops of key employees, and use of insecure cloud networks, etc.) open such business to intentional attack or careless loss of data.
Your WISP does not address protections applicable to vendors holding your confidential information. The Massachusetts Rules included specific provisions, made effective two years after enactment, that required holders of confidential information to supervise vendors providing services relative to such information and required them to address vendor rights and obligations relative to protected information in contract. This represents excellent practice for all businesses but presents implementation challenges warranting guidance. Conversely, if you provide services to holders of confidential information, you can expect to field inquires about the adequacy of your data protection practices and possible indemnification requests if assurances can’t be given.
You have had a significant breach and haven’t updated your WISP. While some breaches result from bad luck (a reputable transportation company loses key data files en route to a disposal facility) or unpredictable human error (such as a maintenance person dumping sensitive records in an open dumpster rather than shredding them), some are the foreseeable end product of a poor or incomplete WISP. Every breach should be viewed as an opportunity or obligation to evaluate the adequacy of the WISP and related procedures.
You had a corporate transformation or restructuring and haven’t updated your WISP. WISPs should grow and evolve with new business opportunities and challenges. Expansions into new states, countries or lines of business (such as a data intensive retail business or a move onto online services) should trigger a re-evaluation of the adequacy of what might now be an outdated WISP.
You are in a closely regulated field and your WISP is several years old. The field of data protection has changed rapidly in terms of legal developments (e.g., the 2013-14 federal re-write and expansion of HIPAA/HITECH), technology (e.g., effective encryptions has chosen cheaper and earlier to use), and work-driven practice changes (e.g., the strong move towards use of cloud for off-site data storage). A fresh look and fresh training packages for personnel may well be in order if you haven’t reviewed your WISP in several years.
You work in a law or other professional services firm. Evidence suggests that those interested in sealing sensitive information in order to engage in identity theft or commit corporate espionage have turned their attention increasingly away from target businesses and, instead, focus on the professional firms who serve those targets and, ideally, dozens of other similarly situated clients. When one considers that professional firms are often slow technology adopters compared to their clients, they may unknowingly face significant data vulnerabilities.
You hold unnecessary confidential information. It is a truism in this data age that liability attaches to every confidential record you own or control, and many companies may benefit from changing practices so as to move towards being a ‘Lean Information Firm.” This could be as simple as implementing a robust disposal/shredding policy or not automatically requesting social security numbers from job applicants until they are hired or must be security or credit checked.
You are underinsured against potential data breach losses. General liability policies have been increasingly revised to exclude data security-related losses, which may be significant. If you are not going to purchase aggressive cyber coverages, or even if you are, it would make sense as a precaution to have a professional review your data security policies and procedures.