Internet privacy: 6 ways to ensure your organization is protected

On Wednesday June 26, 2013, NICSA held its Midwest Regional Conference at The Standard Club in Chicago.  The opening keynote for the conference was presented by Stacey C. Bolton – Senior Vice President, Chief Privacy Officer, The Northern Trust Corporation on the subject of managing data privacy and client confidentiality.

Fingerprint on digital screenHere are Stacey’s keys for what you need to know to keep your organization protected:

Know The Law

Understanding the key US and Global Privacy Laws that pertain to your organization is a critical first step.  Depending on where your organization is based, the definition of “privacy,” “personal data,” and even what constitutes a data breach can be very different – state to state, and country to country.  Know and understand the laws that apply to your firm.

Have a Privacy Program

A good privacy program includes processes to assess risk, prevent information loss, and a program to deal with data security breaches when they happen.  It should also include a communications policy (both internal and external).  Firms might benefit from having an internal privacy awareness and training program for staff to establish and raise a culture of confidentiality in your firm. Periodic audits of your program are important to staying up to date and ensuring that your program can deal with the latest potential threats.

Have Internal Controls in place

Data Management, IT/Operations, Governance, and Compliance all need to work together to ensure data privacy and confidentiality controls.  Every department deals with confidential data, and it is critical that all departments work together to enforce and manage privacy programs and policies.

Privacy Policy

Define for your organization what constitutes “personal data” based on applicable laws for the firm.  Create awareness with employees on what they can and can’t email or share with others. 

Breach notification protocol and breach event management

When an information breach is suspected, have a plan.  Investigate the breach, confirm the risk, and then follow your established protocol for what happens next:  Who needs to be notified (regulatory authorities, customers, your Board, etc.)and what the message is.  Have a remediation protocol:  assess how the breach happened, and what can be done to prevent it in the future. Create a culture where employees understand the importance of communicating any potential breaches to which they become aware.

Information Loss Prevention

Most importantly, have the tools in place that can help identify potential data risks, and prevent breaches before they happen.  ILP (Information Loss Prevention) solutions and software can be invaluable in identifying potential data breaches.  Data encryption tools are an often-overlooked tool that can be invaluable to securing data within and outside your firm.

What are some ways that your organization practices data privacy? Have they been successful?

NICSA: 8400 Westpark Drive, 2nd Floor McLean, VA 22102 • Tel: 508.485.1500 • Fax: 508.485.1560