Stories of major data breaches have been all over the news recently, showing how vulnerable some major enterprises are to viral attacks. Along with losing private information the attacks leave companies exposed to negative media scrutiny and possible punitive action from regulators, customers and attorneys.
To avoid this type of negative attention enterprises should empower a team of executives and IT leaders to create a data security plan that covers the entire organization. This team should identify all of the information that needs to be protected and then create a roadmap within the organization outlining where that information is located. These locations could include laptops, desktops, servers, and other data bases.
After accounting for all of your data you should start to classify just how sensitive and important each component is to your organization. Create a system to rank the information in terms of importance. And determine the amount of harm the loss of each stage of data will be to your company. Your security plan can then begin to address which data is most at risk and help you determine the steps you need to take to protect it.
For example, all enterprises want to protect personal information. And that type of protection is required by state and federal laws (see Data Security Standards). Personal information can include a customer’s name, social security number, driver’s license number, credit card information, and any passwords or security codes associated with the customer. Some states, like California, include a requirement to protect personal email addresses whenever you establish a password or security question and answer.
For credit cards, data protection must include a customer’s account number, the cardholder’s name, the expiration date, the PIN, and the security code on the back of the card.
HIPAA - Health Insurance Portability and Accountability Act
Your data security plan should include well defined methods on how to protect all of this information and spell out how any state laws will impact your protection hierarchy. This is especially important for all personal health information that is collected. HIPPA, the Health Insurance Portability and Accountability Act, spells out specific health information that must be protected. This includes data about a customer’s health status and all health care that is linked with personal identifiers. These include names and addresses, dates of treatments, phone numbers, email addresses and social security numbers.
Along with protecting HIPPA information enterprises that conduct business in Europe, or are thinking about conducting business overseas, need to know and address all global laws regarding data security. For example, the European Union’s Data Protection Directive, or French Law No. 78-17, requires that international corporations follow foreign laws that protect personal data if and when they obtain data from foreign subsidiaries.
Considering the growing trend in data breaches it’s vital for companies to implement stringent security measures especially with information as sensitive as healthcare and financial records. Security guidelines created for healthcare records are similar to security measures taken by credit card companies. Following these regulations is mandatory. And your security procedures must cover all forms of marketing and public disclosure, and must include specifications mandated in all state and federal laws and regulations.
Does your organization's security comply with industry standards? Dewpoint can assist in assessing where an organization's overall security posture is through a security assessment. The first consultation is free! Click the button below to learn more.