Lydia Payne-Johnson, Chief Privacy Officer, Freddie Mac
Heather McAllister, JD, CCEP, Vice President, Legal & Compliance, K12
Ralph Sorrentino, US Chief/Consulting Chief Confidentiality Officer, Deloitte LLP
Rachel Wolkinson, Attorney, Proskauer Rose, LLP
The day is winding down at the Washington D.C. Compliance & Ethics Regional Conference, and the last session of the day is definitely one of the current hot topics on everyone’s mind – Data privacy.
The session discussed three basic tenants of privacy – process, technology, and people with the main focus being the people. Interestingly, many programs discuss the technology and process at length, but don’t go as in depth on the people component. This session really drove home the importance of giving the people component its much needed attention in the data privacy and security plan.
With regard to data privacy and security, it is important to consider a number of different questions, such as:
- What is your plan?
- Do you know where your data is?
- Who has access to it?
- Have you implemented detective and preventative controls to mitigate the risk of the data being stolen?
- Have you developed and/or revisited your privacy and security governance programs to consider new technologies, workplace flexibility, etc.?
- Have you connected with your corporate ethics group around incorporating enhanced language related to employee/contingent work wrongdoing associated with privacy and information security?
Further, during the session, the panelists went through various scenarios discussing data breaches and focusing on the ever-important people component. After a very lively and engaging group discussion, some best practices for mitigating people risk emerged:
- Eliminate poor networking choices
- Monitor outbound email traffic and endpoint activity (i.e. removable media devices) to detect data loss, possible fraud, and cyber security.
- Improve and monitor document shredding practices
- Pay close attention to certain times of the year (tax, quarter close, etc.)
- Identify theft resulting from public databases
- Identify theft resulting from using a personal name instead of filing as a “DBA”
- Establish strong, secure password protocols
- Require securing laptops, hard drives, and other media assets
- Pay attention to possible social engineering and phishing scams
- Establish a strong bring-your-own-device (“BYOD”) policy and standards
Finally, we wrapped up with some practical information regarding strengthening privacy and information security practices:
- Identify what kind of and how much highly confidential personal information your business handles.
- Understand your business’ legal/regulatory obligation and risks
- Engage senior management to support privacy and information security programs
- Create a strategic game plan to engage employees and contingent workers
- Establish a way to measure success
- Educate your employees through ongoing awareness activities
- Enhance your Code of Conduct policy with privacy and information security requirements
- Perform continuous monitoring, testing, risk assessments and audits of your privacy and information security programs.
[bctt tweet=”@SCCE The three tenants of data privacy – technology, process, and people” via=”no”]