Virtually all companies possess sensitive, confidential or regulated data that requires protection. In fact, most organizations hold significant amounts of private customer, employee and business-partner information, in addition to the company’s own proprietary data.
Keeping that information private is not simply an “IT problem.”
Ongoing data breaches of companies with ample information technology budgets show it is a mistake to place the entire privacy burden on your internal or external IT team. And relying solely on IT will likely not prevent misuse of data by employees or third parties, as seen recently in the headlines with Facebook.
Instead, a wider governance approach must be applied, starting with a privacy assessment.
A privacy assessment generally entails a privacy professional’s assessing an organization’s data, including the risks and vulnerabilities related to the company’s collection, storage, handling and disposal of data. The end product is a report detailing and ranking potential legal liabilities discovered. The assessment process overcomes several common obstacles that prevent companies from improving their data privacy.
First, many organizations concerned about data privacy do not know where to begin on this seemingly overwhelming problem.
The assessment provides a discrete first step and starting point by which the company can get an overview of its data issues. Conducting the assessment requires no large capital commitment, hiring of employees or increasing overhead, nor does it lock the company into any long-term commitments.
Another common obstacle to investigating privacy worries is lack of internal expertise to steer the process.
Many companies have no chief privacy officer or similar position as an in-house expert. The privacy assessment is an easier first step than hiring a private officer and there are benefits to using an outside professional to get an objective, unbiased analysis.
Because the assessment report details the company’s internal issues and potential legal liabilities for insufficient data protection, organizations should have qualified outside counsel conduct the assessment.
Using outside counsel will provide attorney-client privilege protection to legal issues and vulnerabilities uncovered. And legal counsel is best positioned to provide any needed advice about complying with the law, whether it is state or federal data privacy laws such as the Health Insurance Portability and Accountability Act.
Some companies also delay taking action due to a limited budget or manpower for privacy “fixes.” The assessment report will help because it provides a roadmap of the concerns the company needs to address, in prioritized order. The company can then focus its finite resources and manpower on the priority items.
Often, the problems call for improved governance measures, not more IT spending. Because improved governance often entails low-tech action items, significant improvement is possible without large capital expenditures.
In addition, the assessment will help answer any management concerns as to whether improving privacy adds to the bottom line.
The assessment provides concrete action items, and those actionable steps provide a ready means for the company to set itself apart from its competitors. It can market itself as a company that takes privacy seriously, and can reference actual steps taken.
The privacy assessment might assist the bottom line in other ways.
Depending on the scope and details of the assessment, the resulting action items might position the company for paying better rates for cyber insurance. The company will be positioned to provide potential carriers with documentation of steps taken that show it is a good risk. Addressing privacy concerns proactively will also be far cheaper than the cost of brand damage, business interruption and lost customers after a privacy incident occurs.
The privacy assessment process is the ideal way for an organization to get started on the path to improving its protection of private information. Protecting data is good for business, and getting started is not as difficult as it might appear.•
Babione is a partner with Wooden McLaughlin LLP, where his practice includes a range of civil litigation, with an emphasis on data privacy, electronic discovery and information governance.