Companies gather lots of personal data about their clients as they grow and become successful. Data that a company collects is an important asset, but it can also be a liability when a data breach happens. After a breach, most states require a business to notify compromised clients.
In many state breach laws, the term “personal information” is often defined as a first and last name (or first initial and last name) with another piece of identification. The other identification piece may be a social security number or an identification card number (e.g. driver’s license, passport, military, or government). Florida law defines “personal information” as “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.”
Evaluating Company Data
A business manager needs to carefully examine its computerized data by performing an assessment. A Data Risk Assessment involves evaluating a company’s data with four criteria:
- Types of Data: Classify confidential data that the law considers as “personal information.” Review data restrictions in contracts, business associate agreements, and privacy policies.
- Uses of Data: Examine where the company stores data (data-at-rest), where data moves (data-in-transit), and how the company uses data (data-in-use).
- Requirements of Data: Review legal responsibilities in state and federal laws, including data breach regulations and online privacy acts.
- Management of Data: Confirm who is responsible for controlling the data, which includes monitoring and securing the flow of information.
A Data Risk Assessment is critical to implementing company policies such as internal controls and data retention schedules. Importantly, the assessment serves as a framework for a company’s cyber due diligence to secure sensitive information.