Burnham Risk's Data Security Plan

For #DataPrivacyDay, our risk experts at Burnham Risk wanted to provide an informative guide to help best protect you and your business from the increasing threat of data breaches and tech invasions. Data security is crucial for all businesses. Customer and client information, payment information, personal files, bank account details—this information is often impossible to replace if lost and is extremely dangerous in the hands of criminals.

Data lost due to disasters such as a flood or fire is devastating, but losing data to hackers or a malware infection can have far greater consequences. How you handle and protect your data is central to the security of your business and the privacy expectations of customers, employees, and partners.

1. Conduct an inventory to help you answer the following questions:

What kind of data does your business have?

    • A typical business will have all kinds of data, some of it more valuable and sensitive than others—but all data has value to someone. Your business data may include customer data such as account records, transaction accountability, and financial information, contact and address information, purchasing history, and buying habits and preferences, as well as employee information such as payroll files, direct payroll account bank information, Social Security numbers, home addresses, and phone numbers, and work and personal email addresses. 
    • You may also have proprietary and sensitive business information such as financial records, marketing plans, product designs, and state, local and federal tax information.

How is that data handled and protected?

    • Security experts are fond of saying that data is most at risk when it’s on the move. If all your business-related data resided on a single computer or server that was not connected to the internet, and never left that computer, it would probably be very easy to protect.

But most businesses need data to be moved and used throughout the company. To be meaningful, data must be accessed and used by employees, analyzed and researched for marketing purposes, used to contact customers and even shared with key partners. Every time data moves, it can be exposed to different dangers.

As a business owner, you should have a straightforward plan and policy—a set of guidelines, if you will—about how each type of data should be handled, validated and protected based on where it is traveling and who will be using it.

Who has access to that data and under what circumstances?

    • Not every employee needs access to all of your information. Your marketing staff shouldn’t need or be allowed to view employee payroll data, and your administrative staff may not need access to all your customer information

Once you’ve done an inventory of your data and you know exactly what data you have and where it’s kept, it is important to assign access rights to that data. Doing so simply means creating a list of the specific employees, partners or contractors who have access to specific data, under what circumstances they have access to it, and how those access privileges will be managed and tracked.

Your business could have a large assortment of data of varying value, including the following:

    • Customer sales records
    • Customer credit card transactions
    • Customer mailing and email lists
    • Customer support information
    • Customer warranty information
    • Patient health or medical records
    • Employee payroll records
    • Employee email lists
    • Employee health and medical records
    • Business and personal financial records
    • Marketing plans
    • Business leads and inquiries
    • Product design and development plans
    • Legal, tax and financial correspondence

2. Once you’ve identified your data, keep a record of its location and move it to a more appropriate location as needed.

 

3. Develop a privacy policy.

Privacy is important for your business and your customers. Continued trust in your business practices and products, combined with secure handling of your clients’ unique information impacts your profitability. Your privacy policy is a pledge to your customers that you will use and protect their information in ways that they expect and that adhere to your legal obligations.

Your policy starts with a simple, clear statement describing the information you collect about your customers (e.g., physical addresses, email addresses and browsing history), and what you do with it. There are a growing number of regulations protecting customer and employee privacy, which often carry costly penalties for privacy breaches. You will be held accountable for what you claim and offer in your policy.

That’s why it’s important to create your privacy policy with care and post it clearly on your website. It’s also important to share your privacy policies, rules, and expectations with all employees and partners who may come into contact with sensitive information. Your employees need to be familiar with your privacy policy and what it means for their daily work routines.

Your privacy policy should address the following types of data:

  • Personally identifiable information—Often referred to as PII, this information includes things such as first and last names, home or business addresses, email addresses, credit card, and bank account numbers, taxpayer-identification numbers, patient numbers, and Social Security numbers. It can also include gender, age, date of birth, city of birth or residence, driver’s license numbers, and home and cellphone numbers. 
  • Personal health information—Whether you’re a health care provider with lots of sensitive patient information or you manage health or medical information for a small number of employees, it’s vital that you protect that information. A number of studies have found that most consumers are very concerned about the privacy and protection of their medical records. They do not want their health information falling into the hands of hackers or identity thieves who might abuse it for financial gain. They also do not want co-workers prying into their personal health details, and they don’t want future employers or insurers finding out about any medical conditions or history. 
  • Customer information—This includes payment information such as credit or debit card numbers and verification codes, billing and shipping addresses, email addresses, phone numbers, purchasing history, buying preferences and shopping behavior.

4. Protect data collected on the internet.

Your website can be a great place to collect information, such as transactions and payments, purchasing and browsing history, newsletter sign-ups, online inquiries, and customer requests.

This data must be protected, whether you host your own website and manage your own servers or whether your website and databases are hosted by a third party, such as a web hosting company.

If you collect data through a website hosted by a third party, be sure that the third-party fully protect that data. Apart from applying all the other precautions that have been described, such as classifying data and controlling access, you need to make sure any data collected through your website and stored by the third party is sufficiently secure. That means any data is protected from hackers and outsiders as well as employees of the hosting company.

5. Create layers of security.

Protecting data, like any other security challenge, is about creating layers of protection. The idea of layering security is simple: you cannot and should not rely on just one security mechanism—such as a password—to protect something sensitive. If that security mechanism fails, you have nothing left to protect you.

When it comes to data security, there are a number of key procedural and technical layers you should consider.

Inventory your data.

    • As described above, you need to conduct a data inventory so you have a complete picture of all the data your business possesses or controls. It’s essential to get a complete inventory, so you don’t overlook sensitive data that could be exposed.

Identify and protect your sensitive and valuable data.

    • Data classification is one of the most important steps in data security. Not all data is created equal, and few businesses have the time or resources to provide maximum protection to all their data. That’s why it’s important to classify your data based on how sensitive or valuable it is so that you know what your most sensitive data is, where it is located and how well it’s protected.

Common data classifications include the following:

      1. HIGHLY CONFIDENTIAL: This classification applies to the most sensitive business information that is intended strictly for use within your company. Its unauthorized disclosure could seriously and adversely impact your company, business partners, vendors and customers in the short and long term. It could include credit card transaction data, customer names and addresses, card magnetic stripe contents, passwords and PINs, employee payroll files, Social Security numbers and patient information (if you’re a health care business). 
      2. SENSITIVE: This classification applies to sensitive business information that is intended for use within your company. Information that you consider to be private should be included in this classification. Examples include employee performance evaluations, internal audit reports, various financial reports, product designs, partnership agreements, marketing plans, and email marketing lists. 
      3. INTERNAL USE ONLY: This classification applies to sensitive information that is generally accessible by a wide audience and is intended for use only within your company. While its unauthorized disclosure to outsiders should be against policy and may be harmful, the unlawful disclosure of the information is not expected to negatively impact your company, employees, business partners, vendors and the like.

Control access to your data.

    • No matter what kind of data you have, you must control access to it. The more sensitive the data, the more restrictive the access. As a general rule, access to data should be on a need-to-know basis. Only individuals who have a specific need to access certain data should be allowed to do so.
    • Once you’ve classified your data, begin the process of assigning access privileges and rights—that means creating a list of who can access what data, under what circumstances, what they are and are not allowed to do with it and how they are required to protect it. As part of this process, a business should consider developing a straightforward plan and policy—a set of guidelines—about how each type of data should be handled and protected based on who needs access to it and the level of classification.

Secure your data.

In addition to administrative safeguards that determine who has access to what data, technical safeguards are essential. The two primary safeguards for data are passwords and encryption.

      • Passwords should be the strongest they can reasonably be. That means passwords that are random, complex and long (at least 10 characters), that are changed regularly and that are closely guarded by those who know them. Employee training on the basics of secure passwords and their importance is a must.
      • Passwords alone may not be sufficient to protect sensitive data. Businesses may want to consider two-factor authentication, which often combines a password with another verification method, such as a PIN.

Some popular methods of two-factor identification include the following:

        • Something the requestor individually knows as a secret, such as a password or a PIN.
        • Something the requestor uniquely possesses, such as a passport, physical token or ID card.
        • Something the requestor can uniquely provide as biometric data, such as a fingerprint or face geometry.

Encryption has been used to protect sensitive data and communications for decades, and today’s encryption is affordable, easy to use and highly effective in protecting data from prying eyes.

  • Encryption encodes or scrambles information to such a degree that it is unreadable and unusable by anyone who does not have the key to unlock the data. The key is like a password, so it’s very important that the key is properly protected at all times. 
  • Encryption is affordable for even the smallest business, and some encryption software is free. You can encrypt an entire hard drive, a specific folder on a drive or just a single document. You can also use encryption to protect data on a USB or thumb drive and on any other removable media. 

Because not all levels of encryption are created equal, businesses should consider using a data encryption method that is certified by the Federal Information Processing Standard, which means it has been certified for compliance with federal government security protocols.

Back up your data.

    • Just as critical as protecting your data is backing it up. In the event that your data is stolen by thieves or hackers, or even erased accidentally by an employee, you will at least have a copy to fall back on. 
    • Put a policy in place that specifies what data is backed up, how it is backed up, how often it’s backed up, who is responsible for creating backups, where and how the backups are stored, and who has access to those backups. 
    • Businesses have many backup options, whether it’s backing up to an external drive in the office, or backing up online so that all data is stored at a remote and secure data center. 
    • Remember, physical media—such as a disc or drive used to store a data backup—is vulnerable no matter where it is located, so make sure you guard any backups stored in your office or off-site, and make sure that your backup data storage systems are encrypted.

6. Plan for data loss or theft.

Every business has to plan for the unexpected, and that includes the loss or theft of data from your business. Not only can the loss or theft of data hurt your business, brand and customer confidence, it can also expose you to the costly state and federal regulations that cover data protection and privacy. Data loss can also expose you to significant litigation risk.

That’s why it’s critical to understand exactly which data or security breach regulations affect your business and how prepared you are to respond to them. Understanding these regulations will make it easier to launch a rapid and coordinated response to any loss or theft of data.

At the very least, all employees and contractors should understand that they must immediately report any loss or theft of information to the appropriate company officer. No loss should be ignored. So even if you have sensitive data that just can’t be accounted for, such as an employee who doesn’t remember where he left a backup tape, it may still constitute a data breach and you should act accordingly. Keep in mind that you may need to report a breach to your customers, as well. Currently, 46 states and the District of Columbia have data breach notification laws dictating how businesses must alert their customers that a breach has occurred.

Are you interested in learning more about how your business can better protect against cyber liabilities? Call our risk management experts today at Burnham Risk. Contact us at 949-833-2983.

Share This