Privacy Legislation: Does Your Organization Follow all the Rules?
For most organizations, collecting sensitive consumer and employee information is an essential part of doing business.
Protecting that information from being stolen or wrongfully retrieved is essential too.
It’s also the law. Companies in all industries must comply with various privacy and data protection policies, as well as Canadian or US privacy legislation.
While security breaches can lead to identity theft, fraud, and other privacy law violations, they’re also financially costly. The True Cost of Compliance, an earlier benchmark study by Ponemon, showed the average cost of non-compliance was almost three times as much as compliance ($9.4 million compared to $3.5 million).
These five questions will help determine if your organization is compliant.
1. What kind of confidential data do you have?
It’s important to know what information the organization collects – and why. Confidential data is defined as personally identifiable information (PII) such as names, addresses, and account numbers. This information should not be collected indiscriminately. Regular audits are recommended to identity data that is no longer needed.
2. What privacy laws matter?
All workplaces must have a good understanding of the privacy laws that govern their industry. There are federal, state (or provincial) and industry regulators.
In the healthcare sector, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) helps safeguard medical information. The Health Information Technology for Economic and Clinical Health ACT (HITECH) supports electronic health records.
In financial services workplaces, the Sarbanes-Oxley Act (SOX), and the Gramm-Leach-Bliley Act (GLBA) apply.
Other U.S. privacy legislation includes the Fair and Accurate Credit Transaction Act (FACTA), and the Economic Espionage Act (EEA).
Canadian privacy legislation includes the Digital Privacy Act, which was passed in 2015 and amends the Personal Information and Electronic Documents Act (PIPEDA)
3. Who oversees compliance in the organization?
There should be one person in charge such as a Chief Information Security Officer (CISO). What’s critical is a thorough understanding of the company’s privacy obligations and staying up-to-date on IT and physical safeguards, particularly protection for hard drives and mobile devices.
4. How is data protected?
Keeping paper and digital information organized, accurate, and secure, is the key - and a comprehensive document management process is recommended. Track every stage of the information cycle from data generation and storage to the transfer of data from location to location and the document destruction process. For world standard document destruction, partner with an information security company that has a secure chain of custody including locked security consoles, security-trained professionals, and powerful cross-cut shredding machines. A Certificate of Destruction after every shred is important for record-keeping.
5. How is information security communicated?
The following are industry best practices:
- Develop formal information security policies and procedures.
- Promote a culture of security from the top down. The C-suite should be committed; use employee communications too.
- Provide on-going employee training on how to handle confidential information in and outside of the office. Employee error is a frequent cause of data breaches according to the 2015 Industry Forecast by Experian.
- Embed information security into the workplace by standardizing document destruction services, a Clean Desk Policy, and a Shred-it all Policy.
While failing to comply with privacy legislation can cause long-term damage to brand and reputation, it’s important to know about the large fines and other consequences that organizations may face too.