Thanks to former NSA contractor Edward Snowden, companies around the globe are rethinking the way they handle and protect sensitive data.
Data security and the protection of electronic records are the top difficulties companies will face in the coming year, according to our annual survey of senior compliance and risk executives. Seventy-four percent cited data security and sixty-eight percent cited electronic records as high priorities, outstripping other risk areas such as bribery and corruption, antitrust, money laundering, environmental regulation and workplace behavior.
To get a proper handle on data privacy, companies need to consider the following:
Mission and Values: Understand how protecting sensitive data supports your company’s purpose and values—and help employees make the connection.
Evaluate the Risks and Limit Access: Assess what data your company has about its customers, employees, and competitors. How much of it is sensitive? What are the risks if the information is disclosed? Determine which individuals should have access to your sensitive data. Equally important: Are there people who have access to data but don’t need it for their jobs?
Institute Companywide Policies: Create policies for how and where your data are stored—don’t forget digital copiers—and also factor in the length of time your data is retained. Has your company examined the effects of BYOD (bring your own device) policies?
Conduct an IT Audit: Evaluate the level of IT protection your company needs for data. Consider the following questions:
• Does some information need to be encrypted either under law or because of its sensitive nature?
• Should all laptop hard drives have encryption software? And should the company ban the use of thumb drives (Snowden’s weapon of choice)?
• Does the IT department have mechanisms to detect unusual download activity either because of the volume of data downloaded or the nature of the data?
• Do you have proper document retention and destruction protocols? Are they tied to your data security strategy?
Discourage Bad Behavior With Education: Outline for employees what kind of behavior could result in a data security problem, including what kinds of position-specific training your organization provides. When employees change positions, is retraining necessary?
Create a Speak-Out Culture: Encourage employees to feel comfortable raising issues without fear of retribution. Employers that don’t implement a credible whistleblower program or investigate claims when brought forward will be a great risk for employees who may be uneasy about what their employer is doing. Those employees may very well take confidential data to others, including the media, to right a perceived wrong.