A Guide to Protecting Your Sensitive Business Data
By Jim Soenksen and Karen Carnahan
Every business is at risk of a data breach. As high-profile breaches continue to make news headlines, there is a common misconception that only large organizations are in jeopardy. However, hackers continue to execute increasingly sophisticated attacks across virtually every industry and business size. To limit risk, businesses must proactively protect their sensitive company and customer information.
The Pivot Group, an independent audit, assessment, and compliance firm, and Cintas Document Management, a secure document shredding, storage, imaging, and online backup provider, recently hosted a complimentary data privacy webinar (visit www.cintas.com/dmwebinar). The webinar was designed to help organizations learn how to protect their proprietary information and comply with data privacy regulations. It suggests two key steps for protecting your data: understand and comply with regulatory requirements and implement an effective records management program.
Are You Compliant?
With data breaches on the rise, regulatory compliance pressures have also heightened. In 2011 alone, Congress introduced 18 new data privacy bills. Beyond federal and state regulations, compliance requirements have been established to protect the consumer from data theft. These include regulations such as HIPAA, the Fair Credit Reporting Act, and the Red Flag Rules.
Failure to comply with these regulations can result in serious fines and penalties. According to the Ponemon Institute, the average cost per breach in 2011 was $5.5 million. The cost of noncompliance continues to rapidly increase and should be cause for close attention.
Compliance ensures that businesses take preventive measures and prepare an immediate response program to minimize damage in the event that data are compromised. To comply with regulatory standards, begin by researching all laws and regulations that apply to your business. Laws and regulatory agencies vary greatly by state and industry. Global organizations must abide by all the state and international laws in which business is conducted. Ultimately, the best way to cover your bases is to work with executive management, legal counsel, and a data privacy consultant.
How to Create an Effective Records Management Program
Once you understand the compliance requirements relevant to your business, the next step is to implement (or update) your records management program. Digital technology has led to the evolution of records management. With the increased volume of both electronic and physical correspondence, employees must make the conscious decision to properly save or securely destroy files. It’s important to arm employees with a detailed program to ensure participation across your enterprise.
When creating your records management program, a helpful starting point is to review the Generally Accepted Recordkeeping Principles (GARP) created by ARMA International, an authority on education for information management issues. GARP includes the following eight core principles:
• Accountability: Create a comprehensive policy to include in the company code of conduct. Specifically outline the records management program and assign responsibility to employees who will oversee the program. Communicate and distribute guidelines and expectations to all employees to ensure success across the enterprise. This eliminates confusion regarding responsibility and participation.
• Transparency: Design your program so that it is easily understood by employees as well as outside parties, including government authorities, auditors, and investigators. Do so by conducting annual audits to stay current with industry and technology changes. The goal is to have a consistent, continuously improving program that can be easily audited.
• Integrity: You must be able to prove your records are authentic and unaltered. Begin by identifying all data and where they reside. This includes all data at rest, in use, and in transit. If you don’t know what you have, you can’t protect it. Next, determine the information attributes of your records and create a classification system by defining what each record is, who owns it, and who can access it.
• Protection: Encrypt all digital files, use strong password protection, and never use live data while testing new systems. Use data loss prevention tools to locate private information, such as Social Security numbers and credit card numbers. For physical files, consider an off-site storage provider equipped with 24-hour security cameras, alarm systems, and complete fire protection systems. Your provider should also meet the same compliance standards that you require for your business, such as Payment Card Industry and Statement on Auditing Standards No. 70 compliance.
• Compliance: Ensure your program complies with federal, state, and regulatory laws along with internal company policies. Mandate employee training and host a refresher course on a quarterly or annual basis. Conduct a regularly scheduled internal audit and continuously update the program to remain compliant.
• Availability: A successful program protects data but also ensures they are available for business use. Many businesses partner with an off-site document management provider that can quickly and accurately retrieve and deliver physical records or send an electronic copy. In addition, routinely back up all databases, operating systems, and corporate e-mail systems to ensure electronic data accessibility.
• Retention: Work with management and a legal consultant to identify a document retention schedule based on legal requirements and company policies. Organize the schedule based on broad categories such as accounting, human resources, sales, and marketing. If organizing the entire company’s records seems like a daunting task, focus on the most critical areas first. A retention schedule will help ensure that you don’t hold on to records that are no longer needed, which take up valuable storage.
• Disposition: Provide secure disposition for all files. It’s necessary to safely shred all documents at the end of their life cycle. Although the information may no longer be of value to the company, the information on the document could be valuable to an identity thief. Partner with an AAA National Association for Information Destruction-certified shredding provider that destroys documents on a scheduled basis and provides a certificate of destruction for a legal audit trail.
Evolve Into the Future
After your records management program is in place, don’t hesitate to implement new technology for your business. Although deployments may increase risk for a data breach, it’s important for your business to evolve. When implementing a new technology system, protect your business by doing the following:
• identifying the critical data involved;
• determining how data will be accessed and stored; and
• updating your controls and processes to make sure your business remains compliant before the new system goes live.
Ultimately, establishing a compliant records management program will help protect your business from a data breach. To ensure success, assign ownership of the program, provide the necessary resources, and educate all parties involved.
— Jim Soenksen is CEO of Pivot Group. He has more than 15 years of experience in information security services.
— Karen Carnahan is president and chief operating officer of Cintas Document Management, one of the nation’s largest providers of document management services.