Data dump or dump the data to minimize privacy liability risks?
Data, data, data – everywhere we turn in the modern world, we are inundated with and driven by data. To remain competitive, businesses must capitalize on the data available to them, but doing so can also result in liability risk. Once data is compromised, it can be difficult or even impossible to re-secure. At-fault parties may find themselves responsible for exorbitant penalty fees and mitigation costs. Every organization today needs data retention policies to minimize privacy liability risk.
Personally identifiable information
One of the main sources of privacy liability risk is the collection and storage of personally identifiable information, or PII. According to the U.S. Department of Labor, PII is defined as: “Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” The definition then goes on to specify examples direct and indirect identification:
- Direct identification: name, address, social security number or other identifying number or code, telephone number, email address, etc.
- Indirect identification: gender, race, birth date, geographic indicators or other descriptors
While PII is not the only information that incurs privacy liability risk, it is the most common example most businesses face. Whoever collects and stores PII is usually held responsible if data breach and other misuse occurs. This makes it imperative that organizations only store information they need to use, protecting it to the fullest extent possible. Implementing data retention policies can also help minimize privacy liability risk.
Data breach is the unauthorized access or distribution of information that is sensitive or confidential in nature. This can occur in a variety of ways but is usually the result of theft or human error. Theft can include either stealing physical copies of information or hardware containing information, or can be conducted virtually via hacking, phishing or some other method. Both physical and electronic copies of information can accidentally be released either through insufficient security, unintentional distribution or incorrect disposal methods. It is important to have policies in place that address both the security, distribution and destruction of both electronic and physical copies of sensitive data.
Creating data retention policies to minimize privacy liability risk
Data retention is a term that refers to the types of information an organization retains for business purposes, and how long that information is retained before it is destroyed. Storing only the data you need and regularly cycling data out of your systems once it’s no longer useful can drastically reduce the impact of a potential data breach.
First, determine what types of data your organization retains. You may discover that you are storing unnecessary information or that your data does not have enough protections in place. Different protections will be needed depending on the data’s “clearance level.” For example, what’s considered public knowledge will require a vastly different security approach versus what‘s considered highly confidential.
Next, identify how long your information should be kept before being disposed of in a secure manner. Depending on the nature of your operations, you may be subject to laws that govern these practices for you. If not, it’s good to determine a suitable length of time and regularly schedule periods for employees to engage in cleaning out data.
Lastly, it’s a good idea to use the “principle of least privilege” which restricts an individual’s access to only the information they require in order to perform their job functions. This imposes organic restrictions on sensitive data which can go a long way towards safeguarding it from malicious or accidental misuse or distribution.
Other best practices
The following best practices are also great ways to both reduce the likelihood or impact of a data breach:
- Restrict access to information using the principle of least privilege.
- Appoint a chief information or security officer to perform regular data back-ups and enforce data retention polices.
- Provide regular cyber security training to all employees.
- Install anti-virus and encryption software on all devices and maintain standard security measures such as firewalls, secured wireless connectivity, and so on.
- Ensure all users have unique IDs and passwords when connecting to or accessing your internal network.
- Require all users to utilize multi-factor authentication when connecting to or accessing your internal network.
- Change passwords at least every 90 days.
- Secure physical files of sensitive information in locked file drawers or offices.
- Establish and post document retention and destruction policies.
Cyber threats are on the rise. While data is necessary to conduct business, it can be a double-edged sword if not handled correctly. Ensure your organization has data retention policies to minimize privacy liability in place when it comes to collecting, storing, protecting, and destroying your data. For more information, please contact your broker or tribal risk manager, Mark Sherwood, at email@example.com.