Many companies have measures in place that block peer-to-peer file sharing on company resources, but the threat of a data leak caused by employee home computing still looms. There are steps companies can take to reduce home computing risks, and an assessment of what sensitive information employees are working with, and how they are working with it, is key. Once companies have a clear understanding of how their employees are handling sensitive information through the normal course of business they can build a foundation for a credible security program to begin eliminating data security risks.

The risks posed by portable storage devices is a common one that most companies do not realize they are exposed to, but it is a risk that will carry much greater consequences after March 1 when the Massachusetts regulations take affect. Having a thorough understanding of all locations where data is stored in your company isn’t merely a luxury for companies- it is now a compliance necessity. Will your company be compliant on March 1?

To keep discovery and other data related costs under control, companies should start with developing a data map that provides a comprehensive view of all records and information, the associated media and applications, and where that information is located. Data maps continue to evolve over time with the company, and these maps are invaluable in locating information during discovery. Data mapping also offers valuable insight when making critical decisions about storage and destruction policies.

Controlling the amount of data your company retains is also a key component in controlling discovery expenditures, as document over retention accounts for a significant and unnecessary part of discovery and review costs. These costs can be easily contained with a proactive document location and volume reduction strategy, literally saving your company millions.

A new Massachusetts privacy law is a game changer; it is the first in a series of laws that will be passed in the US and it is set to take effect on March 1. When this new law goes into effect in just a couple of weeks, few companies will be compliant. The new law says that any company in the United States that possesses personally identifiable information (PII) pertaining to customers or employees that are Massachusetts residents, will be required to create an inventory of all paper and electronic records and media that contain PII, maintain a written security policy that includes disciplinary measures for violations, and further they must perform regular threat assessments.

Massachusetts is the first state demanding companies take proactive measures to protect the PII and other confidential information of their residents, and more states are sure to follow suit. All companies will be impacted by these regulations, and since many companies will not be compliant on the March 1 deadline they will have to act quickly to ensure they are meeting the requirements of this new law.

Overwhelmingly, data breaches aren’t caused by malicious outside forces, rather they are the result of process deficiencies and the resulting mishandling of information internally. Preventing a data breach is simply a matter of companies taking inexpensive, proactive steps to create and maintain a confidential information inventory, understanding what processes and people handle confidential information, and regularly conducting threat assessments. A small investment in securing confidential information will net a great return- an average return of $6.75 million to be precise.

Judge Scheindlin noted in her opinion, which supports the precedent-setting 2003 opinion she wrote in Zubulake vs. UBS Warburg, that the courts do not expect perfection, but, “By now, it should be abundantly clear that the duty to preserve means what it says and that a failure to preserve records – paper or electronic – and to search in the right places for those records, will inevitably result in the spoliation of evidence.”

The sanctions came in response to the plaintiff’s lack of effort in enacting litigation holds, including the failure to procure documents and the failure to stop the destruction of information in the case of The Pension Committee of The University of Montreal Pension Plan vs. Banc of America Securities LLC.

It is critical for companies to be able to quickly enact a litigation hold order, accurately identify likely custodians, and have complete assurance that the hold reach the intended recipients to protect companies from these types of sanctions. This expectation was set with the Zubulake opinion, and the recent ruling reinforces that companies must have a solid hold management system.

When the security of personally identifiable information (PII) is at stake having a solid policy in place is important, but understanding how employees are doing their jobs is also a vital part of records security that is often overlooked, or completely undetected by DLP. The impact of risks resulting from employee process was illustrated recently when an external drive containing medical records and other PII for 15,500 patients of Kaiser Permanente in Northern California was stolen from an employee’s vehicle. A comprehensive inventory of a company’s confidential information and the management processes around that data, is the foundation of any solid data protection strategy.

For many companies, the first step in shoring up and defending themselves against a major data breach is assessing where their information is being stored, both on the network and off, and knowing who has access to this information. Once a company understands these key pieces of the information management puzzle, they are better positioned to implement and enforce policies and procedures that will protect them from the financial and legal risks that all companies dealing with PII face.

What do the new regulations under DATA mean for companies?

1. All companies that store PII will be required to secure their information with auditable policies and procedures, including the adoption of a secure, defensible data destruction process for all non-electronic information. Though the bill doesn’t outline exactly what the policies and procedures must be, to meet these requirements companies will have to thoroughly understand the regulations and best practices for their industry in order to implement a strong system for securing their information.
2. If companies experience a security breach they will be required to notify the FTC, and they will be subject to an audit of the security measures and policies they have in place. Companies may also face future audits after the initial breach. To assure compliance, companies will have to be on top of where and what they are storing throughout the organization, at all times. Staying abreast of their information practices and locations will not only help them implement effective security practices, but will aid in breach detection and reporting and allow them to comply with the audit process as companies are required by this bill to have an auditable trail for all PII.
3. In addition to ensuring it’s accuracy and protection, companies will have to alert and give customers access to the PII information they are storing. They must also have in place a responsive system to help customers correct their data. This means a comprehensive view of all PII records will need to be in place to ensure information can be easily found and universally edited.

Though many states already have in place regulations surrounding data and breach notifications, the DATA act will preempt all of the state rules and gives companies a singular way to deal with PII security. Conversely, this could also mean that more stringent penalties and regulations could impact businesses. Comprehensive data mapping and strong policy regulation are essential to complying with this new legislation, and being prepared for the passage of the law will put companies ahead of the information security game.

Because DLP software solutions cannot identify information that resides anywhere outside the servers, when companies rely on them as their exclusive safeguard, sensitive information on external storage devices, hard copy information, and other unstructured data is left undetected and exposed. In order to be fully protected and ensure full compliance, companies need to start with an understanding of what types and in what locations their information exists, and they must have in place solid information management controls before making DLP software a component of their information security strategy.