We always read that corporate leaders regularly identify data security as one of the top-five risks they face in the business world.
Many companies are appointing a Chief Privacy Officer to oversee the proper handling of data. In some cases, Chief Compliance Officers are charged with responsibility for protecting a company’s data and making sure that the company does not violate any law or regulation relating to data collection, storage and use.
Global companies face a variety of legal and regulatory requirements relating to data. Companies have to understand what data they collect, how it is stored, processed, transferred and secured. Access to data has to be restricted and subject to security requirements.
Data security is now a critical requirement for every business. A compliance program has to include policies and procedures which address all of these issues. A CCO has to work closely with information technology experts in the company and make sure that they coordinate with all data users and functions in the company.
The first step in addressing this issue is to understand the company’s current and future data needs and operations. Once the company completes its data profile, the company should measure its current and future needs against its existing privacy and security policies and practices. In addition, the company needs to gather information on data practices by its third party vendors, distributors and agents. If appropriate, contractual protections should be included to ensure that third parties comply with company data security policies.
Most companies do not have established data protection policies because they do not know nor understand the data they have and the potential risks. For years, the focus has always been on protecting financial information and trade secrets. An initial forensic audit of the company’s information technology system is an important technical task.
As part of this initial assessment, the company has to examine the risks to its data security. The specific threats have to be identified and the risk of such a threat occurring should be measured. Internal and external threats have to be considered. An employee can be just as dangerous as a foreign hacker.
A data privacy and security audit is the backbone of the company’s compliance program. If changes need to be made, a compliance plan should be developed and implemented. Such a plan needs to include a detailed plan on how to respond to a data security breach.
A privacy audit will point to important changes that are required to meet best practice requirements. Security measures must be reasonably designed to protect the company’s data. A company should adopt a detailed and clear statement of its data privacy and security policies and procedures. This policy, like other compliance policies, should be disseminated in the company and appropriate officials and employees should be trained on compliance with the policies and procedures.
The privacy and security policies must be implemented, monitored and enforced. A paper program is just that – a paper program. Regular testing and monitoring of data privacy and security compliance practices should be scheduled as part of an overall compliance program.
Most companies are purchasing insurance to respond to the serious risks to data privacy and security. It is important that any insurance extend to third parties who may themselves suffer a serious data breach.