CONTRIBUTED BY Jennifer Kashatus
Virtually every company maintains some personal information – your company might hold personal information about employees, customers, or both. The precise definition of personal information varies by state and/or statute, but, as a general matter, includes information that is capable of identifying a natural person such as (but not limited to) first name and/or initial plus last name, in combination with a postal address, social security number, driver’s license number or other state issued identification number, or financial account number, such as a bank account number or a credit card number.
Whatever personal information your company possesses, your company should take measures—and, in fact, may be required by law to take measures—to protect that information. To appropriately handle personal information and to protect one of your most valuable assets—information—take stock of the information that your company maintains as the starting point to getting your privacy house in order.
To date, the United States has not adopted comprehensive federal privacy regulation, but instead approaches privacy regulations on a sector-by-sector approach where it sees a need to prevent a particular harm or class of information (e.g., financial privacy rules, healthcare privacy rules, and protection of children).
The Federal Trade Commission (FTC) has authority to address unfair and deceptive trade practices, and has used this authority to address a company’s lapses in data security. In addition to these federal laws, there are a myriad of laws at the state level: the vast majority of the states, and the District of Columbia and U.S. territories have adopted data breach legislation; states also have implemented laws requiring information security protections as well as mandating contractual protections if a company is going to share information with a third party service provider. As a result, even if your company is not in an industry that is specifically governed by privacy and data security regulations, inevitably, there are regulations that will pertain to your data, particularly if your company suffers a data breach.
To put your company in the best position to comply with these regulations, and, perhaps more importantly, to ensure that your company is able to appropriately protect the data in its possession, your company should take stock of the data in its possession. Take the time to understand, as a starting point:
- What types of personal information does your company maintain about employees and or customers?
- Where does your company store that information and which employees or classes of employees have access to that information? and
- Under what circumstances does your company share that information with third parties?
Take the time to understand what your company already has done to address privacy and data protection. For example:
- Does your company have internal policies and procedures to protect personal information?
- Does your company have an incident response plan in the event of a data breach?
- Does your company require third party service providers to safeguard your information?
- Is each of the above items up-to-date?
Once you have identified what you might already have in place, next consider whether your company is in the best position to protect its data. For example, consider whether all of the employees that have access to personal information really need that personal information to perform their jobs. Similarly evaluate whether your third party service provider needs all of the information that you are providing to it – and at the same time, evaluate whether your third party service provider has appropriate security in place to protect your information, a valued asset. Then check to see whether your privacy policies and procedures are accurate and up-to-date, and, even if not, whether there are ways in which you can modify your procedures and policies so as to protect the information that is in your company’s possession.
Personal information is a valuable asset, and a breach of personal information can have significant negative effects (from financial expense to reputation damage) on your company. Take time to put your privacy house in order.