In our previous blogs we have been sharing with you concerns that every business has with data security. The material is drawn from our article entitled, “Secure Your Data,” appearing in the July 2015 issue of Trends magazine, published by the American Animal Hospital Association.
In this blog we outline steps you can take a minimize your risk. Of course, it is best to take steps toward prevention, so start with #1.
- Prepare an inventory of private personal information you collect. For example, know the answers to these questions: What data do you collect, and why? Where is it? How well is it protected? Who can access it? When do you use it? How do you use it?
- Prepare a risk assessment, including third-party vendors and contractors.
Talk to your operation systems vendor. See that your system has the highest certification level, which is the CompTIA (Computing Technology Industry Association) Security Trustmark. Your assessment should include a review of your contract for ongoing support and updates. It should see that you have encrypted all your personal data, enabled your operating systems’ firewall, and made sure your records are backed up.
- Develop policies and procedures.
Policies and procedures can clarify for all of your staff how to keep the personal information that you collect secure. For example, you will want to define who can have what access to sensitive data, plan for a regular review of your state laws, plan for proper disposal of sensitive data by shredding documents prior to recycling or clearing devices before you dispose of them, and prepare a disaster and recovery plan.
- Conduct training for all staff.
All team members must be aware of the presence of data in its various forms and understand basic password safeguarding and changing. Your training will ensure that staff members know not to open potential spam or phishing emails and to be cautious about downloading things. Training should include a discussion of paper files and data in storage cabinets and removable storage devices (like a thumb drive or CD).
- Review your insurance coverage.
Your general insurance policy won’t cover a data breach attack. Besides the costs, think, too, of regulatory quagmires you might find with such a breach.
Whether as a rider on existing insurance or a separate policy, you can expect coverage to include the cost of lawsuits that might follow after confidential customers data is stolen. Also included are the cost of notification expenses, public relations and crises management, and business interruptions due to attacks that cripple websites, acts of extortion, or the introduction of malicious code or viruses.
- Plan for a response to a possible data breach.
Hopefully, all of your preventive work will protect you from a hacker or data breach, or even a flood or file that would compromise your data. But what if there is a breach? What do you do?
If you have data breach insurance, you will first contact your provider. You’ll soon learn that there are many things you’ll need to do, such as:
*Taking stock internally – reporting to your staff and contacting your insurance broker;
*Reaching out to experts – a breach coach, perhaps a forensics expert, and probably someone with experience in public relations;
*Addressing notification obligations outlined by state and federal law as well as by the Payment Card Industry (PCI);
*Addressing multiple inquiries, such as those from State regulators (that is, the State Attorney General), Federal regulators (dealing with Optical Character Recognition or OCR), maybe Federal agencies (i.e., SEC, FTC), Consumer reporting, and plaintiffs.
That’s it for now.
Carolyn and John
Leave us your comments.
Sign up for future blogs and occasional newsletters.
“Like” us on Facebook