Fortune 1000 companies are emphasizing new privacy initiatives this year, increasing annual privacy budgets to $3 billion in 2015. According to Linda McReynolds, a senior attorney at Marashlian & Donahue, LLC, the CommLaw Group, enterprises can be better positioned to weather unintended data breach emergencies by following these five tips:
- Conduct regular Privacy Impact Assessments (PIAs).Knowing where your risks are and how a data breach could impact your enterprise is the first step in preparing for a breach and subsequent investigation.
- Double- and triple-check privacy policy accuracy.“The Federal Trade Commission (FTC) has signaled that it will come down hard on companies that publish false ‘bait-and-switch’ statements regarding their handling of customer data,” writes McReynolds. Ensure that your company’s privacy policies accurately reflect how data is collected, stored and transmitted, as any discrepancies between language and reality will be discovered after a breach occurs.
- Tighten access restrictions.Access to customer data should be limited on a “need to know” basis, and employees should be trained to prevent unauthorized use of computers, addressing the risks of opening personal email on company computers or using USB drives.
- Data breach preparedness.Be prepared to notify your customers according to state and federal standards. Company statements to consumers should be as accurate as possible to avoid scrutiny from investigators.
- Appoint a privacy professional.According to McReynolds, “Developments at the FCC (Federal Communications Commission) and in Europe point to a growing consensus among regulators on the need for companies to have a privacy officer. Last October, the FCC fined two carriers, TerraCom, Inc., and YourTel America, Inc., $10 million for compromising sensitive personal data after promising to protect it. As part of the settlement, the FCC made a deal of sorts with the companies that it would consider reducing the fine if the carriers took steps to mitigate the impact on customers, with a key step being to appoint a Chief Privacy Officer. This was a rare concession from the FCC, and it sends a signal to the industry that when the FCC reviews data breaches for liability it will be looking directly at the management structure behind a business’ data security apparatus.”