October 6, 2014

The data security challenge

By now, all of us have either heard of or experienced the "Ice Bucket Challenge." Nominated individuals choose between dumping ice water on their heads or writing a substantial check to a charity. By any measure, the challenge has been a massive viral success leading to a substantial increase in awareness and contributions for the sponsoring charity.

I believe businesses face their own "Ice Bucket Challenge" as it relates to protecting confidential data like trade secrets or personal information of its employees or vendors. Businesses are effectively "nominated" to protect data on hard drives and in file cabinets, whether by federal or state law, or privacy expectations of consumers and investors.

Businesses have to decide how to meet the challenge, either by developing or adhering to a data security program, or avoiding taking any action steps, thereby risking the potential for a big "check" to be paid later in costs, fines and lost business if they experience a data breach. Businesses need to develop an information security program as soon as possible. The program should be documented in a written information security plan ("WISP") and should, at a minimum, do the following:

Identify the protected information you possess and where it is located;

Reduce the types of protected data you collect to the least amount necessary to meet your business objectives;

Secure the data you possess via electronic means, physical means and agreement clauses with vendors and insurers;

Dispose properly of sensitive electronic and paper records when they are no longer needed;

Implement the program with a thoughtful rollout and appropriate training;

Update the program regularly to account for breach experience, new business expansion, and technology changes.

Robert Munnelly is a partner in the regulatory department of Murtha Cullina LLP.

Most Popular on Facebook
Copyright 2017 New England Business Media