The beginning of a new year offers the perfect opportunity for companies to review their privacy and data security practices and make any needed adjustments. Since it is a matter of “when,” not “if,” your company will be the target of a data breach, your organization should proactively ensure that you are prepared for the inevitable. We suggest all companies resolve to do the following in 2017 to set themselves on the right course for the year:
- Review scope of data you collect
To successfully evaluate your privacy and data security risk, you must understand all the types of data you collect and store from your customers, employees, and other users. Human resources, marketing, IT, and other departments are all continuing collecting data, and the types of data collected may have changed over the past year as your company grew and evolved. You also need to know what types of information is protected and how such data is regulated. For example, regulation may depend on the location of the person who provided the information or the type of technology used to collect the data. Additionally, you must know how you share or transfer information and whether your data is flowing across borders. If you realize you are collecting information that is not necessary for your business purpose, consider changing your practices so such data is no longer collected, minimizing potential regulatory risk. However, any data that is deleted or discarded must be disposed of securely according to applicable legal requirements.
- Revisit privacy notices
You should review your privacy notices to ensure they are up-to-date and are an accurate description of your company’s data collection and sharing practices. Your company may have added new products, services, or partnerships during the previous year but failed to update privacy notices to reflect such changes. Also, be sure your privacy notices comply with ever-changing state and federal legal requirements. To ensure a privacy notice is effective, companies should use clear and unambiguous language, an organized structure, and the most important and unexpected information should be disclosed first. As the FTC noted in an enforcement action settlement at the end of 2016: (1) privacy notices are potentially deceptive if they are not complete and accurate; and (2) even complete and accurate privacy notices are potentially deceptive if the disclosures are not made in ways that ensure the consumer will see or understand them.
- Update data security policies and procedures
Technology, privacy laws, and industry best practices continue to rapidly evolve. Make sure your policies and procedures reflect all the data you collect and all the ways you collect, store, use, and share information. Make sure you are basing your data security policies on current state and federal laws. If you are relying on outdated laws or rules, regulators may not be as understanding when you suffer a data breach. Similarly, relying on “adequate” controls that sufficed last year may not be enough to protect your company in the face of new security threats and increasingly sophisticated cybercriminals. Verify that you are staying on top of industry best practices.
- Confirm your response plan is ready to go
A written data response plan is important to ensure that your company can respond appropriately and effectively to a breach. Your company must be able to quickly recognize a suspected breach, immediately contain it, preserve important evidence, engage appropriate individuals (lawyers and forensics) to investigate, and determine whether regulators and/or customers must be notified. If your company already has a response plan in place, take the time to make sure pertinent employees are aware of, and familiar with, the plan (a well-written plan is only as good as the training and readiness of the team). And if your company does not have an incident response plan in place, you should start crafting one. If your company experienced any data incident(s) in the previous year, now is a good time to evaluate how the response plan was implemented and whether any changes to the plan should be made before your company experiences another data incident. Also, consider data breach or cybersecurity insurance, to the extent your company does not already have such policies. There are a variety of products available depending on your risk, and these products are quickly evolving to keep up with the market.