Protecting personal information stretches far beyond keeping your credit card close to your chest. Companies need to take care of privacy issues, as they house tons of personal information about employees and customers – not to mention confidential information about the company itself. Think about what would happen if one of your competitors had access to your systems, or if an employee cracked into the HR database and snooped around at information in other employee files.
Find out what to do about a data security incident before it happens. Download the free cheat sheet: 7 Steps to Address a Data Breach.
Doesn’t really sound like something you want happening within your organization, and I don’t blame you. Companies are up against an ever-changing list of internal and external security threats. Depending on who you ask, some people say that your biggest corporate security threats come from within the organization.
So, how do you handle this?
Internal Privacy Policies
- Employee records- personal information, medical history, etc.
- Email and Internet usage guidelines
- Handling client/customer information
- Internal systems and access- permission, responsibilities, access to files, etc.
- Mobile devices- company phones, laptops and other devices and their disposal
- Established laws and regulations
- Consequences for violating the policy
- Reporting a security breach
It seems like a lot to cover, and it is, but these are all important topics that require significant consideration. If your company uses any sort of employee monitoring, such as web surfing or telephone monitoring, communicate this in the policy and make employees aware that there are measures in place to ensure compliance with the policy.
Does your code of conduct cover all the bases? Download the free Code of Conduct Template to make sure.
The Nitty Gritty
- “Do all employees follow strict password and virus protection procedures?
- Are employees required to change passwords often, using “foolproof” methods?
- Is encryption used to protect sensitive information (a particularly important measure when transmitting personally-identifiable information over the Internet)?
- Do you regularly conduct systems-penetration tests to determine if your systems are hacker proof?
- Do you have staff specifically assigned to data security?
- Do staff members participate in regular training programs to keep abreast of technical and legal issues?
- Have you developed a security breach response plan in the event that your company or organization experiences a data breach?
- Have you developed security guidelines for laptops and other portable computing devices when transported off-site?
- Is physical access restricted to computer operations and paper/micrographic files that contain personally identifiable information?
- Do you have procedures to prevent former employees from gaining access to computers and paper files?
- Are sensitive files segregated in secure areas/computer systems and available only to qualified persons?”
In addition to these questions, it’s important that employees know how to report a suspected or known security breach. Whether it was an accident such as sending an email to the wrong contact or overhearing about an employee selling sensitive company information, every incident needs to be reported. In the policy, include a list of phone numbers, email addresses and any other contact information employees can use to report a security breach.