March 10, 2015

Is Your Workplace Ready for a National Cyber Security Law?

Ever since President Barack Obama announced new national cyber security legislation in his State of the Union address, the buzz about the cyber security law moving forward has been positive.

The new Personal Data Notification and Protection Act would likely “legislate a 30-day window for notification, require companies to report certain breaches to the government, and empower the Federal Trade Commission to set and enforce federal data security standards,” according to a report at thehill.com.

It would also supersede (and get rid of confusion caused by) about 47 different state-based notification bills – and that’s what some industry experts are applauding most.

Cyber security news reports indicate that the details of the law are still being debated. For example, how many days should companies get to investigate a breach before they notify consumers? Should all sectors be covered? Will consumers end up being over-notified about exposed data?

But it’s a good idea to start preparing for tighter cybersecurity now, advises Julie Lockner, Vice President of Market Development at Informatica, a data integration software company. In an article posted at SCmagazine.com, Lockner recommended looking at policies that relate to the FTC’s enforcement practices – to see what might be missing in your workplace.

A recent International Association of Privacy Professionals (IAPP) study by the Westin Research Center assessed Federal Trade Commission enforcement actions in dozens of cases. The following data security best practices are based on that information and would help reduce the risk of a breach.

  • Perform regular security risk assessments to identity risks to personal information that is managed and stored by the company on its network, online, or in paper form.
  • Utilize up-to-date technology and practices for safeguarding information. This would include security measures such as firewalls as well as password policies, and encryption software and rules.
  • Limit access to personally identifiable information in digital form and on paper to employees who need the information in order to do their jobs.
  • Restrict third party access to personal information based on business need. Industry experts recommend that today, companies should require service providers to have appropriate information security safeguards.
  • Provide on-going employee training. Employees must be educated on the company’s privacy and cybersecurity policies. All staff members should understand and be able to manage privacy and data security safeguards.
  • Use a comprehensive document management process to control how long data is stored, the security of that information, and notification when information is no longer needed and can be destroyed. Partner with a reputable shredding company that has a secure chain-of-custody including locked consoles for the workplace, secure destruction of e-media, hard drives or paper documents, and a Certificate of Destruction after every shred.

A culture of security is the key to creating trust with internal and external stakeholders. Get started with these document security protocols.