Privacy and data security laws and regulations exist at both the federal and state level and, until recently, there was a fairly clear demarcation between what federal regulations covered and what was in the domain of the states. That equilibrium changed on March 1 when the Commonwealth of Massachusetts issued minimum standards for the protection of personally identifiable information (PII). The regulations go into great detail concerning the steps companies must now take to safeguard their data and, in particular, the need for them to develop written data security procedures.Reference is made to an excellent review of the overlapping federal and state regulations written by Nathan Greene and Jesse Kanach published in the February 22, 2010 issue of Securities Regulation and Law Report. The bottom line is that much has changed in 2010 regarding the safeguarding of PII and the extent to which the executive teams at companies must review their level of compliance.
What Corporate Counsel Should Know
Effective data protection programs must be designed and implemented as part of the business process. Many companies have struggled with this strategic goal as there are a number of steps required in order to build a privacy compliance program. There are a number of players involved as well, including the CEO, CFO and general counsel but also the department heads within compliance, IT, operations, and HR. Management is ultimately responsible for the privacy compliance program, its implementation and its operating effectiveness. However with the degree of reputational risk inherent in a data breach, oversight of a company's data security and privacy program is now a Board of Directors imperative as well.
Because preventive measures are far less costly, both in terms of financial and operational impact, than re-engineering systems after an incident or significant breach has occurred, reasonable measures can be taken to minimize risk. A privacy compliance program is comprised of a number of steps including:
Practices evolve rapidly, and regulations follow. Enterprise managers need to make sure they're aware of the latest developments. As an example, think how rapidly and to what an extent communication has changed recently. Just two or three years ago, the primary modes of sharing information were email and telephone. Now, the majority of information disseminated first sees the light of day via Internet postings, including through social networking sites like Twitter and Facebook. In fact, a policy handbook including a code of conduct specifically covering social media should be part of every company's privacy compliance toolkit.
Establish a Compliance Monitoring Program over Privacy Policies.
Training programs and employee manuals are valuable first steps, but are they being followed? How are they enforced? Surveys and annual reviews are good practices. Counsel can assist in pointing out to employees the risks and penalties the company faces when a data breach occurs or when the company is found to be out of compliance. It is critical that employees understand their responsibilities surrounding PII, and policy adherence should be made part of the on-boarding process of new hires.
Identify and Categorize the Data Assets.
Data management starts with an inventory of assets. When collecting data, managers should "tag" data to be able to identify, track and categorize where sensitive PII is stored to effectively protect and use the information as well as to facilitate reporting. Tagging also helps managers create real-time status reports so they can see how knowledge is being shared.
Be Aware of Information Requests, Internally and Externally.
Examine Physical Aspects of PII Security.
Management should ensure that the IT department inspects the sites where information is held, both in-house and at outside storage facilities. IT should build protocols to protect both the information and storage tools. Protocols should cover, among other items, the physical security of personnel files; who has access to files and how personnel are hired and trained; how long the material is retained and the policy regarding document destruction. These protocols should be developed in accordance with the many specific state and federal regulations the company is responsible for knowing and following.
A privacy risk assessment outlines the internal and external vulnerabilities based on the types of sensitive information.The executive management of an organization needs to review its overall privacy compliance program by first identifying which privacy laws can be triggered by a breach or through non-compliance and then through its business processes where personally identifiable information is collected and maintained.
Privacy compliance and data protection programs encompass the processes that an organization employs to protect and secure its systems, media, and facilities for processing and maintaining vital information. The processes to safeguard confidential data are the primary defenses of an information security safeguard program. An organization can be adversely affected if information becomes known to unauthorized parties, is altered, or is not available when needed. Executives need to assess the effectiveness of their information security safeguard program, in particular the financial, operational, and reputational risks to their organizations. Now more than ever, the ability to proactively manage, protect and share PII, intellectual property, and other sensitive data in a cost-effective manner - both within an organization and with strategic partners, trusted advisors, clientele, and other parties - is crucial.
John P. Fodera , CPA, is a Partner in Eisner's Internal Audit and Risk Management Services (IARMS) group, focusing on delivering risk advisory and audit services.