What information is legally required to be protected?
What steps should my business take to protect data?
What does my business have to do in the event of a data breach involving personal data?
What information is legally required to be protected?
Business owners obviously want to protect trade secrets and confidential information, but the law is increasingly requiring businesses to protect personal data about customers, vendors and employees. Personal information includes a person’s first and last name and any of the following:
1) Social security number;
2) Driver’s license number;
3) Credit/debit card or financial institution account number;
4) Health insurance account number;
5) Medical information;
6) Background check information;
7) Biometric information.
Personal information also includes a person’s email address and/or user name, along with his or her password or answer to a security question.
What steps should my business take to protect data?
1) Determine where any confidential or personal information is located, in paper files, workstations, desktop computers, servers and/or laptops and smartphones.
2) Once you know where everything is located, limit access to only those people who have a need to know. Paper records should be kept in locked file cabinets. Sensitive information stored electronically should be kept in files that are, at minimum, password-protected. Businesses should be especially concerned about personal information located in laptops and smartphones. These devices should have technical protection at least as strong as the business’ desktop computers and should have the “remote-wipe” feature enabled.
3) Any business always should employ anti-malware software and a firewall. All software should promptly be updated whenever a new “patch” or update is released. Businesses must have a strong backup system. Companies should also encrypt confidential or personal information, both in storage and when it is being transmitted.
4) Confidential or personal information should not be sent via email unless it is encrypted. Using a file-sharing service is usually more secure.
5) Employees should be trained on how to avoid cyber-theft, including how to recognize possible phishing attacks.
6) You should closely scrutinize your vendors to ensure that their data protection practices are at least as strong as your own.
7) When it is no longer necessary to keep confidential or personal information, the information should be thoroughly destroyed. Simply deleting a computer file will not be sufficient – a wipe utility should be used.
8) Practice your responses to common hacking attacks. Understand what you would do if your company’s website was frozen by ransomware or if personal data were breached.
What does my business have to do in the event of a data breach involving personal data?
Within the quickest reasonable time after the breach, consistent with the need to determine the breach’s scope and to restore the security of the system, a business is obligated to send notice to every person affected by the breach. The content of the notice will depend on the type of personal information that has been stolen. If health or medical information is breached, you may also be required to notify certain government agencies.