Unfortunately data breaches are a real concern for companies and individuals alike, as a recentInformation Week article stated that nearly 200 breaches have been reported between January and June 2012, involving over 13.7 million sensitive records. In the worst case scenario a data breach can result in litigation and significantly damaged reputations.
For organizations across the country, data security compliance is no longer simply an HR or finance concern. As more and more information moves out of the filing cabinet and into the data center, I.T. departments must play an integral role in data security compliance. Unfortunately, paper shredders are more prevalent at most organizations than effective data protection solutions. This lack of proper data protection can be a nightmare for I.T. departments, as well as other internal departments, especially if a data breach does occur.
One of the biggest data security misconceptions is “I am not a target.” Businesses of all sizes across numerous industries can experience data breaches. To prevent such data leaks and the resulting repercussions, here are several preventative measures that all I.T. departments should consider:
Understand relevant compliance regulations. The first step prior to implementing data security measures is to understand general and industry specific regulations on the federal and state level, which impact data security. Spend some time with a member of human resources, legal, or another internal department that manages compliance at your organization to determine which criteria you must consider. Examples of federal data security regulations include: the Health Insurance Portability and Accountability Act (HIPPA), the Fair and Accurate Credit Transactions Act of 2003 (FACTA), the Gramm–Leach–Bliley Act (GLB), and Sarbanes-Oxley Act (SOx).
Develop internal policies to meet or exceed regulatory requirements. After gaining a clear understanding of the relevant regulations and of what compliance entails, internal privacy and security policies must be established. Keep in mind most regulations have multiple dimensions of compliance. Therefore, keep physical, technical, administrative, and human capital safeguards in mind when developing departmental or organizational policies.
Develop a data retention and data destruction policy. Examine your entire infrastructure and determine which hardware contains any confidential information. Most likely you will find that the vast majority of your hardware contains data, which if breached, may violate relevant regulations. Then devise a data encryption plan for hard drives within this hardware. Remain cautious about relinquishing dead or damaged hard drives to third parties and consider a hard drive retention warranty program, such as Aventis Secure Drive. This will allow you to ensure that you can retain any failed hard drives and still receive warranty replacements, which will keep costs down. Also, make sure to develop a secure and proven data erasure or drive destruction strategy for any hardware that you retain.
Train employees within the I.T. department and across the organization. With the proper policies in place, employees must be appropriately trained regarding how to remain individually compliant within their roles. This will range from server and application security training for employees in the I.T. department, to email password protection training for other company employees.
Develop a response plan, just in case. Even with the best data security plan in place, a breach may still be possible. Create a response plan in advance so you will know where to start, which steps to take, and who to contact in the event that a breach does occur. By telling those directly affected, you can most likely minimize damages to your brand’s reputation.