Risk Assessment To Evaluate Data

Companies gather lots of personal data about their clients as they grow and become successful. Data that a company collects is an important asset, but it can also be a liability when a data breach happens. After a breach, most states require a business to notify compromised clients.

In many state breach laws, the term “personal information” is often defined as a first and last name (or first initial and last name) with another piece of identification. The other identification piece may be a social security number or an identification card number (e.g. driver’s license, passport, military, or government). Florida law defines “personal information” as “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.”

Evaluating Company Data

A business manager needs to carefully examine its computerized data by performing an assessment. A Data Risk Assessment involves evaluating a company’s data with four criteria:

  1. Types of Data: Classify confidential data that the law considers as “personal information.” Review data restrictions in contracts, business associate agreements, and privacy policies.
  2. Uses of Data: Examine where the company stores data (data-at-rest), where data moves (data-in-transit), and how the company uses data (data-in-use).
  3. Requirements of Data: Review legal responsibilities in state and federal laws, including data breach regulations and online privacy acts.
  4. Management of Data: Confirm who is responsible for controlling the data, which includes monitoring and securing the flow of information.

When conducting a Data Risk Assessment, consider the promises made to clients and agreements made with other business associates. For example, a company’s privacy policy should include an “opt out” provision when a company shares data with other companies. This means the company should have a procedure in place to ensure it processes and follows each “opt out” request.

A Data Risk Assessment is critical to implementing company policies such as internal controls and data retention schedules. Importantly, the assessment serves as a framework for a company’s cyber due diligence to secure sensitive information.

Share this article!

Alice is a member of the Florida Bar, and she focuses on data privacy and cybersecurity compliance in her law practice. She attended the Warrington College of Business at the University of Florida and earned a Bachelor of Science in Business Administration. After graduating, she earned a Juris Doctor at the Stetson University College of Law. During law school, she served as an Assistant Executive Editor for Stetson Law Review and also as a Staff Editor for Stetson Journal of Advocacy and the Law. She currently serves as Chair of The Florida Bar Journal/News Editorial Board.