Understanding and managing the risks associated with the changing world of data security, and being prepared for breaches and how to respond, have become business necessities. This three-part series, based in part on a presentation given by Michele L. Cohen, a principal with the law firm Miles & Stockbridge P.C., at Trellance’s immersion 2018 conference, outlines the balancing act between convenience and data, and provides a framework for preparing for breaches and what actions to take in response. Part 1 focused on what is at risk; what causes breaches, and the fact that breaches are inevitable. This Part 2 will focus on planning and documentation for the inevitable.
The first step in planning for a breach involves investigation, assessment, and a lot of “legwork” to establish a process for evaluating data collected and managed by the organization. Every piece of data must be evaluated to determine whether it is personal to an individual. Every place that such data is stored, and each recipient receiving access to the data, must be identified, with formal controls established over each step. The data that is collected by the organization may include member data, employee data (and possibly vendor personnel data), and non-member data in the case of former members or prospective members. The data may be collected for various reasons based on organization needs, including for loan applications, member account set-up and administration, and communicating with members. Remember that personal data of the organization’s employees and non-employee personnel is subject to the same concerns and planning process. Where data comes from, how it is collected, where it is used, shared, and stored all must be identified, along with policies and procedures to manage its use, access, release, and disposition. This is also the time to determine what data the organization’s employees and third-party providers need to access in order to perform their roles, so that only the needed access is provided.
continue reading »