Know which types of data are collected, including but not limited to: information to identify a natural person such as their name; a social security number; a driver’s license number or non-driver identification card number; an account number, credit or debit card number, and any required security code, access code, or password that would permit access to a financial account; or potentially any other information that can be used to identify an individual.
Know everything that may happen to the data. Know where and how data is stored because different security controls may be needed depending on the particular data storage and data transfer techniques used. Know who has access to or control over the use of the data in order to effectively monitor and keep track of it. Access controls which require different passwords to access different types of data and information are an effective way to keep track of data.
If the data is accessed by or stored with a third party vendor, such as a payroll company, ensure the third party has similar or stronger security controls and performs its due diligence to keep data secure.
Designate someone in charge of maintaining the security of the data and have them enforce a data security policy.
The following should be included in a data security policy:
- The acceptable use of technology, which provides guidelines to ensure employees safely use computers, email, the internet, and other forms of technology.
- Security controls, such as passwords, data encryption, and virus protection software.
- Disaster recovery, meaning procedures for data recovery, data backup, and information about how to report a data breach.
- Technology standards based on permissible software and hardware, as well as the prohibition of unauthorized software and hardware. For example, a word processor or any industry standard software or hardware used would require particular security measures, whereas a peer-to-peer file sharing software would be outright prohibited.
- Network security, including network configuration and employee levels of permission for access to information.
- Technical support, maintenance, installation, and long-term technology planning by an outside vendor.
- Disciplinary action against employees that fail to follow the security policy in place.
State and local requirements differ and may require additional measures. Check the law at least annually to ensure compliance with the latest laws.
Proactive preparation and planning is key. Companies should be constantly monitoring for breaches, know who within the company would discover a breach, and who would subsequently be in charge of remedying a breach and notifying affected parties as necessary. Companies must also know what information to include in the notifications, how the notifications shall be delivered, and perhaps most importantly the deadline to send out the notifications by. The need to protect data is crucial. Inadequate protection could lead to civil and criminal penalties, loss of reputation and customers, increased insurance rates, and costly downtime, to name a few.