The “Rule of Thumb” for information compliance and prevention programs has been to put everything you can in writing and buy insurance to cover the rest. Creating these programs typically involves simple survey questions that lead to very general policy statements. Then employees are trained by being asked to read the policy and sign it. The results of these measures are simply not broad enough in scope to address all of the information at risk and are not focusing on the practices that leave the institution exposed.
Unfortunately, these policies are out-of-compliance at the point they are approved by the owners, the Board, or the executives because they do not address the full scope of risk to the operation.
Let’s say that you or one of your employees loses their business laptop. If the lost device contained any personal, medical, financial, or business information, then all of the exposed individuals must be notified according to the state law where each of them is a resident.
In addition to the reputation damages and lawsuits that may follow your notification letters, the lost information may be protected under many laws in which you are expected to comply. In other words, regulators may cite complaints against your organization for many laws for this one incident. We are talking about serious fines, penalties, and government intervention!
“A defensible position for compliance must be derived from commonalities in privacy, security, usage, and notification law, as well as, Federal Trade Commission enforcement actions involving information breaches.”
A Medium to Large Organization A Small Business
