What to Consider When Drafting a Data Security Policy

Here’s a synopsis of what we shared during our session at OLA’s annual Compliance University.

To make sure we are up to date with the latest industry regulations, we regularly attend OLA’s annual Compliance University. At this year’s conference, we were asked to speak on data security. If you were unable to attend the event and missed our session, read on for a brief synopsis of what we shared.

Data Security: Important Considerations

We all manage sensitive information about our customers. Whether you’re collecting it and sending it to a buyer or purchasing it for your own needs, safeguarding this information throughout the entire process is a major responsibility.

Laws like the Gramm-Leach-Bliley Act, Credit Reporting Act, and Federal Trade Commission act require companies to secure sensitive information collected from customers.

As you review your standards and work toward writing a comprehensive data security policy, you may benefit from asking yourself the following questions.

What Personal Information Do You Obtain, Collect, Store, and Transmit?

Risk assessment is the first step toward a solid security plan. It requires you to determine what personal information you are dealing with and how sensitive it is. Ask yourself:

  • What type of data do you collect?
  • Who sends it to your company?
  • How is it received?
  • Where is it stored?

A lot of us collect financial information, either directly from the customer or through purchased leads. You may have customer data saved on your computers, laptops, mobile devices, and flash drives. Whether you store it or not, dealing with this type of data is very risky.

For What Purpose Are You Keeping Information?

If you don’t have a legitimate business need for sensitive customer information, it might be a good idea to stop collecting that information. We understand that data is expensive and you probably want to keep as much of it as possible just in case somewhere down the line it becomes useful. But it’s also true that no one can steal what you don’t have.

What Can You Do to Protect the Data You Do Have?

There are several ways you can safeguard your sensitive data:

  • Physical security – Keep your paper documents in a locked file cabinet. Invest in office security to keep would-be intruders out of your building. Limit the number of employees who can access the information, and consider how much data you will allow each vendor to access.
  • Electronic security – Protect your computers from outside hackers by installing and utilizing Internet security, firewall protection, an intrusion detection system, encryption, and password security. Then, make sure your employees are using these tools, too.
  • Vendor data security – Make sure your vendors’ data security practices are just as serious as your own. You might need to visit their offices, request a copy of their data security policy, and ask questions. It’s also helpful to let new vendors know about these expectations from the start by including them in your contracts. If one of your vendors suffers a data breach, they need to inform you immediately.
  • Cybersecurity liability insurance coverage – Just in case your best efforts fall short, insurance can help keep your business afloat.

Risk varies based on information type. For instance, you need to be extra careful with a customer’s SSN because it is more sensitive and valuable than other personal information.

How to Handle Data When It’s No Longer Needed

When it’s time to dispose of sensitive data, it’s important to prevent the information from falling into the wrong hands. That means shredding paper documents and using data wipe software to delete electronic files permanently.

What’s Your Plan in Case of a Security Threat or Breach?

The point is not to make your system impenetrable because that is impossible. You want it to be good enough to discourage hackers and get them to move along. Because with the right resources and enough determination, a hacker will be able to breach your system no matter how good your data security plan is. If this happens, it’s vital to investigate the incident immediately.

Since timeliness will be a priority after a breach, it helps to have a plan in place beforehand. Some of the first steps of your plan should be monitoring all data entry and exit points, closing off all vulnerabilities (even if you need to take some of your equipment offline), and contacting the appropriate parties.

You may need to hire outside counsel to determine if the breach has implicated any state or federal laws. A data forensics team can help you realize the scope of the problem and maybe the source.

Drafting Your Actual Data Security Policy

After you have considered the above points, you might be better prepared to create a solid policy for your business.

As you prepare the policy, consider its purpose and objective. It will need to comply with all applicable data security laws. It will need to protect you from liability. It should communicate how your data is accessed, collected, stored, used, transmitted, disposed, and protected – both in your office and what you expect from your vendors’ facilities.

Consider the scope of your policy. It should apply to all your employees (who need regular training on information security awareness), as well as your affiliate marketing partners.

A good data security policy should have clear goals, such as minimizing risk, maintaining confidentiality, ensuring integrity and accuracy, etc.

Be sure to define the risks that are specific to your company and outline how you plan to combat against these dangers.

Feel free to reach out if you run into problems while preparing your policy. While we can’t help you write it, we would be happy to share more insight into what we were thinking while preparing ours.