  |
 |
|
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: | ||
 |
|
THE AGE OF DATA PRIVACYSource: BusinessWeekPosted on April 15, 2010 In recent years, data privacy failures have harmed dozens of companies and become commonplace on the front pages of newspapers around the world. High-profile cases invite more regulatory activity, as well as scrutiny from customers and employees. In addition, companies face the challenge of managing a greater volume of sensitive information, created by increasing digitization of employee, health, financial, and other personal data. In October 2009 alone, the Federal Trade Commission (FTC) collected more than $18 million in three settlements related to data breaches and inadequate compliance with data privacy-related laws. These three cases, following closely behind several recent Safe Harbor-related settlements, reflect the FTC's newly determined and rigorous enforcement procedures. More concerning are the ongoing compliance requirements and continued supervision over remediation efforts. One recent settlement included providing compliance updates to the FTC every two months, which can drain managers' time and attention. Moreover, the FTC is not aloneÑdata protection authorities in the United Kingdom, Germany, and Australia are adopting more aggressive enforcement protocol than ever before. The financial consequences of inadequate data privacy and protection continue to grow as well. According to Ponemon Institute research, the average cost of a customer data breach grew from $4.5 million in 2005 to $6.7 million in 2008. In 2008 alone, the total cost of data privacy breaches in U.S. corporations was $721 million. Through its ongoing conversations with its members, Corporate Executive Board has identified four key best practices that companies should follow to help mitigate the potential of data breaches: 1. Identify and understand the basic laws and requirements for your company and the data you collect. For many companies, the most challenging part is making sense of the laws and regulations that apply to their business. With offices, stores, and factories around the world, and a Web site accessible anywhere, it's hard to identify which data you can and cannot collect and what you can and cannot do with this data. In the U.S., with its notorious "patchwork of regulations," a crucial early step is to develop a comprehensive understanding of where you do business, and from which states and municipalities, you collect, store, and process sensitive data. 2. Get your partners on board. Building and rolling out a comprehensive data privacy program involves educating and convincing functional partners in HR, Audit, business managers, etc. of the importance of complying with data privacy laws and requirements. Creating a data privacy compliance program is necessarily a cross-functional endeavor. Information security individuals should be involved to ensure the specifics of firewalls, encryption, and access protocols. As many laws also require regular program audits, internal audit will need to be part of the team. Strong data privacy teams typically include staff from HR, Information Security, Legal, Compliance, and Internal Audit. 3. Prepare in advance for data breaches. Developing and enforcing breach response protocols allow companies to pre-empt and quickly respond to the risks that can arise from data security breaches. Companies should plan in advance for potential breaches by developing a taxonomy of data breach incidents to establish appropriate controls and response plans; drafting data breach policies, including formal investigation procedures; creating a breach response management team to enable faster action; and conducting data breach 'rehearsals' to identify critical process gaps and ensure cross-functional coordination. 4. Don't take vendor compliance for granted. Many data privacy laws hold companies responsible for third-party data privacy failures. At a minimum, companies must take steps to ensure that their third parties are both familiar and compliant with the company's policies as well as all applicable laws and standards. In addition, companies should take steps to ensure that they know when a vendor loses its Safe Harbor certification during the period of the contractual agreement. Recommended steps to ensure vendor compliance include, comprehensive training, regular monitoring of third-party data-handling procedures and security controls, and right-to-audit clauses and termination rights in the contractual agreement. A company's information provides vital insight and a significant advantage amongst its competition. By following the directives that are detailed above, managers can help keep its company's information private.
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
|
ALERT  WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |