Secure Your Data Trail

Employees and service providers are the weakest links in protecting and securing your data.  Data breaches cost companies an average of $5 million per incident in direct costs according to a recent study by the Ponemon Institute. Business reputations are on the line when faced with a data breach and victims often cut ties with the companies that compromised their private information.
 
New laws allow individuals to sue companies that fail to safeguard their private data.  In addition, failure to follow the laws can result in civil and criminal penalties both for the company and key executives.
 
Employers are mandated to take reasonable steps to secure non-public information, including appointing an Information Security Officer or Privacy Committee, create a stated or written information security and safety program which includes mandatory training of their workforce.  The FTC defines “workforce” as part-time and full time employees, seasonal, temporary and 1099 workers.  They recommend the employer refuse access to anyone who does not attend the mandatory identity theft training.  Guidelines have been established by the FTC to ensure reasonable measures are taken by all employers and civil and criminal penalties have been enforced against companies who failed to protect the NPI they collected.
 
The newest FTC rules require employers to monitor the compliance efforts of companies they do business with which have access to their data, premises, or vehicles transporting data.  An employer can be held liable for a data breach that occurs by a vendor who has access to the employers data.  A letter or “statement of compliance” is required from all affected vendors.  In certain situations the FTC recommends the employer visit the facility of any company they do business with that has access to their data to determine if “reasonable measures” have been taken to protect the employer’s data.  This would include professionals ie; payroll processing companies, accountants, insurance providers, and even the maintenance and janitorial companies who have access to the premises.  It is recommend a letter stating “reasonable measures” are being employed to protect the employers data by all affected vendors be requested, if a vendor fails to comply, the employer should evaluate the risks and possibly terminate the services of the uncooperative provider to help mitigate their damages in the face of a data breach.
 
For more FTC data security guidelines visit: www.ftc.gov/bcp/edu/pubs/business/privacy/bus69.pdf