By Patrick A. Fraioli, Jr. and Harrison D. Finch*
The title, of course, begs the question: does your business even have an Information Governance Program? If not, you should get one—quick.
An integrated Information Governance Program is considered a “best practice” to help your business “protect, detect, restore and recover” from significant data loss incidents. Just having a “policy”, or a form employees sign without more, or relying on your IT Department for privacy & security compliance, are recipes for disaster. In addition, your business may already be required by law to have several elements of an Information Governance Program—one that addresses both data privacy and information security. For example, under both the Health Information Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), companies are required to have a designated “Privacy Official”, a written Incident Response Plan, and formal employee training—key elements of an Information Governance Program. Finally, a formal Information Governance Program can be an enormous competitive advantage. If consumers believe that you really do take seriously the privacy and security of their information, they are more likely to trust your business with their information over a competitor.
Here are ten top priorities for building your program:
- Get Buy-In from the C-Suite & the Board. True Information Governance starts at the top, with commitment from senior management. Just downloading a few forms off of the internet will not suffice. Both the Federal Trade Commission (FTC) and the U.S. Securities and Exchange Commission (SEC) have fined companies—and fined and censured their officers—for “going through the motions” on privacy and security. You cannot fake it.
- Assessment & Review. Your business maintains multiple types of information, with different levels of sensitivity, confidentiality and criticality. Information is truly power, and often a business’ data is its most prized possession. At a minimum, you need to know what you have, where you keep it, how you store it, how you secure it, who needs access to it, when you may no longer keep it, and how you must dispose of it.
- Designation of a “Privacy Official” and/or Information Security Officer. Put someone in charge. Give them responsibility and authority to get things done. Pick someone who will speak truth to power, is available for questions, complaints and notifications, and is a central repository for institutional knowledge regarding privacy and security incidents.
- Written Policies, Standards & Procedures. At a minimum, you must have an Acceptable Use Policy, an Incident Response Plan, and a Disaster Recovery (or Business Continuity) Plan. Many large companies will not renew contracts with vendors unless they have these three, at a minimum. You must also create, review and regularly update many other policies, notices and agreements, such as those related to employees bringing their own devices to work, mobile device management, document retention and destruction, and website privacy practices.
- “IAM”—Identity & Access Management. Limit employee access to personal information. Segment servers so that unauthorized access to one does not compromise all. Require periodic changes of passwords.
- Employee Training & Education. Perhaps nothing is more important to good Information Governance. Any program should have layers of protection: physical, technical and administrative safeguards. Ultimately, your people are likely to be your greatest strength (if you have a good program) or your greatest weakness (if you do not).
- Vendor Policies & Agreements. Many breaches take place because trusted vendors are allowed to access confidential information. If your business has an obligation to secure data, that obligation is still yours even when a vendor has your information. Satisfying that obligation requires affirmative action on your part: internal policies, vendor agreements and reasonable due diligence regarding your vendors.
- Continuously Monitor, Update & Test Systems. Having systems in place does you no good if you ignore them or neglect to stay current. A data breach incident is like a fire or other disaster. If you have not rehearsed what to do, you will move slowly and make errors, when it is most critical for your business to react quickly and effectively.
- Cyber Insurance. Cyber insurance, like other insurance, is a way for your business to shift the risk of a data breach. Coverage is available for businesses of all sizes; however, you must carefully review the terms of coverage, and seek the advice of a competent broker. Exclusions are a significant concern.
- Build & Nurture a Culture of Privacy & Security. Information Governance, like Corporate Governance, requires education, awareness and reinforcement. Remember the old saw: “How do you get to Carnegie Hall? – Practice, Practice, Practice.” Embed Information Governance in every one of your business processes. We call this “Privacy by Design” and “Security in Depth.” By building a culture of privacy and security, you can achieve the kind of layered protection necessary in the Age of the Data Breach.
Your employees and customers expect you to safeguard their personal information. An Information Governance Program can enable you to do that, but also (and perhaps more importantly) to recover quickly from a data loss incident, should one occur. In the Information Age, this may end up being the ultimate competitive advantage.
*Patrick A. Fraioli, Jr. is a partner and Harrison D. Finch is an associate in the Data Privacy and Security Workgroup of Ervin Cohen & Jessup LLP.