With privacy laws getting more stringent, Canadian businesses need to take a hard look at their compliance policies or face dire consequences, experts say.
Penalties for not playing by the book are stiff, warns Sarwat Nafei, manager of risk advisory services at Ernst & Young LLC. (E&Y).
He said protecting privacy is much harder today, with employees toting sensitive data around in pocket-sized devices.
But that doesn’t mean the challenge can’t be met.
Risk adviser Sarwat Nafei talks about mobile computing considerations.
The security expert shared eight proven strategies companies can use to protect critical data from security breaches, at the Infosecurity Canada conference in Toronto last week.
1. Identify and classify
Assign a security professional in your organization to be in charge of privacy. Their first charge should be to go through personal information in a company’s databases and classify it, Nafei says.
“While many organizations have data classification policies in place, they’re often outdated and not serving their purpose,” he adds.
A review and update of your company’s policies should be done with the regulations of the countries that you operate top of mind.
Go through your information with a fine-tooth comb and make sure all databases are inventoried.
2. Less is more
When it comes to the amount of personal information kept on your company’s server, less is more, Nafei says. Company practices should limit the collection, use, disclosure, and repetition of personal information.
Businesses should also ensure their staff practice data minimization, he adds.
When dealing with third parties – such as partners or vendors – require that they have transparent practices and disclose what they’re doing with any personal data you may share, he says.
“This has to be clear in contracts or other engagements with third parties.
3. To decode or not decode
One of three statements would describe where your company stands on data encryption, Nafei says:
– It’s overdone
– It needs to be updated
– It’s not happening at all
All companies should have a policy that encrypts data at rest and data in transit as standard procedure, he recommends. Full-drive encryption is a more effective way to go about this than folder-based techniques.
And don’t forget the data exchanged with third parties either, the E&Y expert says. Require that all parties you exchange data with also put into use effective data encryption technologies. But don’t waste time and money on encrypting data that is not sensitive.
“We don’t want to over-do it,” the speaker says.
4. On the road again
Don’t count on your average employee having information security top of mind when he or she is on a business trip or works from home.
Effective safeguards are needed to counteract the added risk created by telecommuting, Nafei says.
“You need to equip the mobile device with security features that will safeguard information,” he adds. Medium and large organizations that tend to have many workers out in the field are most at risk.
5. Enforcing strict standards
When dealing with third parties such as vendors and business partners, don’t be afraid to demand the same tough privacy standards your own company practices. Most will be willing to cooperate, Nafei says.
“What we encourage organizations to do is review the controls and communicate with third parties you’re dealing with,” he says. “Believe me, they’ll be willing to implement new controls.”
Identify how your relationship works and where data is exchanged. Then work with the party’s own risk management to define the privacy and data protection requirements.
This isn’t just a one-time event, but an on-going process with your partners, Nafei advises.
6. In case of emergency
When a breach does occur, quick action is required on the part of the business to curb the potential harm, Nafei says.
“Effective and timely management of privacy [breaches] is critical,” he says. He said some firms have been late responding, and got a lot of negative media coverage that has gravely hurt their reputation.
Assemble an emergency privacy breach squad, the director says. Collect team members and come up with a plan to respond to incidents ahead of time.
Any breach could result in legal ramifications, and communicating with law enforcement agencies about your response plan is a good idea.
7. It’s a small world after all
If your company is international, then your data is spread across the world and you need to be concerned with the compliance rules of different countries, Nafei says. Knowing the right regulatory bodies within each country is a place to start.
Don’t forget to hold the local partners you may work with up to the same standards.
“You’ll need to catalogue the transfer of information between countries,” he says.
8. Building a better mousetrap
Research reveals that organizations face an increasing risk from insiders, Nafei says. This being so, your company should monitor operations involving the use of personal information not just for clients, but for employees.
Compliance rules will often ensure that consistent monitoring of this sensitive data is done to guard it against those who might try to swipe it – including people inside the organization.
“Any organization has some form of activity that is a monitoring solution,” Nafei says. “The question to be asked here is whether the existing solution addresses the main risks and if it considered reasonable or not.”