Examples of security breaches recently making headlines could leave businesses feeling powerless trying to secure data in the information age. In the well-publicized Wikileaks case, confidential Department of Defense files were compromised by one or several inside sources. In another case, Kinetic Concepts Inc. notified authorities that a call center employee had used customer payment data to make personal purchases. The cases are very different, yet both involved the intentional leak or misuse of data by a rogue employee. This presents a challenge to the many businesses that require use of personal information for legitimate purposes. Businesses have a responsibility to create policies and procedures to protect all personal information, yet seemingly little can be done to stop an inside source gone rogue.
There are some ways, however, that a business can specifically minimize this risk, as part of an overall security program. Employee risk must be analyzed and controlled. Individual employees should only be granted access to personal information that is required for them to complete their duties. Your system administrator and your receptionist shouldn’t be given the same level of access. Make sure your policies and disciplinary actions are well-documented and recorded, so that your employees are fully aware of them. And in the case that one of your employees needs to be cut loose, make sure you promptly terminate their system access.
If you store the personal data of a Massachusetts resident, you must be aware of the Massachusetts data security regulations. Under 201 CMR 17, you are required to create a Written Information Security Program (WISP) and train your employees on your security practices. In the case of a breach, you need to be prepared to prove that all employees have received and read the WISP. And finally, if a breach does occur, don’t wait and don’t hide it! Follow recommended procedures to notify the affected consumers and the proper authorities, maximizing their ability to respond, ensuring your compliance and minimizing the risk of additional fines.