It can often be the best of intentions that employees leave a company exposed to the serious financial and legal risks of a data breach. A recent FTC investigation found that the personal information of employees and customers for more than 100 organizations was leaked over the internet via personal file sharing on home computers. Jordan Lawrence sees this type of exposure in virtually every company they work with, and it isn’t the result of malicious employees. In our experience it is diligent employees who work at home but don’t have access to the appropriate, secured resources, such as company-issued laptops and secure networks, that are using home computers and internet connections who are exposing companies to such data breaches.

Many companies have measures in place that block peer-to-peer file sharing on company resources, but the threat of a data leak caused by employee home computing still looms. There are steps companies can take to reduce home computing risks, and an assessment of what sensitive information employees are working with, and how they are working with it, is key. Once companies have a clear understanding of how their employees are handling sensitive information through the normal course of business they can build a foundation for a credible security program to begin eliminating data security risks.

An important piece of the new Massachusetts privacy regulations that companies must prepare for is the requirement that all customer and employee personal data on portable storage media needs to be encrypted and protected. Unfortunately, many companies make the assumption that all sensitive data resides predominantly on servers or other non-portable devices. Jordan Lawrence has performed hundreds of risk assessments, and has found that senior management is always shocked at the amount of personally identifiable information (PII) stored on portable storage devices and pda’s that leave the building each evening, unencrypted.

The risks posed by portable storage devices is a common one that most companies do not realize they are exposed to, but it is a risk that will carry much greater consequences after March 1 when the Massachusetts regulations take affect. Having a thorough understanding of all locations where data is stored in your company isn’t merely a luxury for companies- it is now a compliance necessity. Will your company be compliant on March 1?

Being proactive about data retention and destruction is essential to cutting costly discovery expenditures, and can save companies millions. Without a firm handle on what and where information is stored, a consistently enforced records policy, and the routine and proper disposal of obsolete data, companies could potentially spend up to 9% of their annual revenue on one discovery.

To keep discovery and other data related costs under control, companies should start with developing a data map that provides a comprehensive view of all records and information, the associated media and applications, and where that information is located. Data maps continue to evolve over time with the company, and these maps are invaluable in locating information during discovery. Data mapping also offers valuable insight when making critical decisions about storage and destruction policies.

Controlling the amount of data your company retains is also a key component in controlling discovery expenditures, as document over retention accounts for a significant and unnecessary part of discovery and review costs. These costs can be easily contained with a proactive document location and volume reduction strategy, literally saving your company millions.

As a flurry of new laws are being passed by state and federal governments to protect personal information, companies are quickly finding their processes and practices are not in compliance with new regulations and they must act quickly to protect their company, employees, and customers.

A new Massachusetts privacy law is a game changer; it is the first in a series of laws that will be passed in the US and it is set to take effect on March 1. When this new law goes into effect in just a couple of weeks, few companies will be compliant. The new law says that any company in the United States that possesses personally identifiable information (PII) pertaining to customers or employees that are Massachusetts residents, will be required to create an inventory of all paper and electronic records and media that contain PII, maintain a written security policy that includes disciplinary measures for violations, and further they must perform regular threat assessments.

Massachusetts is the first state demanding companies take proactive measures to protect the PII and other confidential information of their residents, and more states are sure to follow suit. All companies will be impacted by these regulations, and since many companies will not be compliant on the March 1 deadline they will have to act quickly to ensure they are meeting the requirements of this new law.

Being proactive about protecting your company’s confidential information can go a long way in terms of cost savings. Many companies significantly underestimate what a data breach would really cost, but a recent Ponemon Institute study shows that, on average, a breach will cost $6.75 million dollars. This estimate includes the costs of mandatory notification, post-breach credit monitoring services for victims, legal fees, fines, and the costs associated with disruption to legal and IT staffs during the breach.

Overwhelmingly, data breaches aren’t caused by malicious outside forces, rather they are the result of process deficiencies and the resulting mishandling of information internally. Preventing a data breach is simply a matter of companies taking inexpensive, proactive steps to create and maintain a confidential information inventory, understanding what processes and people handle confidential information, and regularly conducting threat assessments. A small investment in securing confidential information will net a great return- an average return of $6.75 million to be precise.