Articles

July 21, 2015

A Business Owner's Duty to Protect Sensitive Company Data

By Paul Peterson, Managing Partner, Wiss & Co. LLP

No two companies are the same in culture, work environment or the vulnerabilities inherent in their digital landscape. This makes it very difficult to implement a standard way of protecting workers and customers from external data threats to their privacy and security.

But nothing is more important to your company’s credibility and positive relationships with customers and employees than safeguarding their sensitive data. It’s a legal and ethical imperative. After all, you’ve seen the economic and reputational damage done to companies ranging from Target, AOL, Google and Home Depot to Heartland Payment Systems and Sony Picture Studios for data breaches that could have been avoided. Even departments and agencies of the U.S. government have fallen victim to hacker attacks.

You can start addressing potential issues with an honest assessment and a four-step evaluation and action plan. 

  • Identify your worst-case scenario. Threat levels can vary dramatically based on your company profile. But even if you don’t think that sensitive data is a part of your business, you still most likely have access to the banking, health care and performance records of employees.

Start a threat assessment by compiling a picture of the worst danger a data breach might pose. Would you have enraged clients or embarrassed patients? Could your company be humiliated by a release of private communications? (Think Sony Studios.) Would you be facing lawsuits or a public relations nightmare? With a clear risk assessment, you’ll know just how seriously you must take the situation and how quickly you must act to protect your systems and minimize the threat.

  • Establish a policy — and put it in writing. Don’t count on supervisors putting the word out regarding the dos and don’ts of properly handling and protecting company data. Formulate, write and distribute a corporate policy statement that details the standards, rules and regulations that all are expected to follow. Your internal or external IT professionals are most familiar with the vulnerabilities, so be sure to consult them as you prepare the statement — and don’t forget to update your document whenever new technologies emerge and new threats develop.
  • Determine who’s in charge. The ultimate responsibility and action plan have to start from the top. Do you have the right people safeguarding your sensitive data? Do you have an adequate defense? The issue is too important for IT to be the only party saddled with the task of protecting your digital privacy and security. The leadership team needs to be involved.
  • Address risks. You may need to partner with third-party experts who know how to assess your threat level, install and test system security measures and further mitigate risk through employee education. For instance, all of your people should understand the importance of only accessing the company network with external hard drives (thumb drives) that have been encrypted. 

Starting with these four steps will put you well on your way to making your data safer, maintaining the integrity and good reputation of your company and protecting the privacy and security of your employees, customers and vendors. 

As a managing partner at Wiss & Co. LLP, Paul Peterson oversees firm operations including data security and advises clients on various business issues. Reach him at ppeterson@wiss.com.