October 04, 2016

Who's Responsible for Protecting Personal Data & Information?

Who’s responsible for protecting personal data from information thieves – the individual or the organization?

This year’s National Cyber Security Awareness Month campaign, which kicked off October 1, points to the importance of engaging all individuals in cyber security activities. "Cyber security is present is every aspect of our lives, whether it be at home, work, school, or on the go."

But recent research has shown that despite the fact identity theft is a long-time leading consumer complaint many individuals are careless with their information. In a 2016 Experian survey, almost half of over 2,000 British adults admitted that they rarely or never change their passwords. Good password hygiene is one of the best ways to protect credit cards and other information from thieves.

Attitudes in organizations can be contradictory too. Other Experian research showed that while the majority of small and medium-sized enterprises (SMEs) said it is an organization’s responsibility to protect personal data, 45% of them insist it’s not solely the company’s responsibility. Furthermore, 39% don’t think they’re even at risk for a data breach.

What it comes down to is the importance of both parties doing what they can to protect personally identifiable information (PII).

Here are 9 reasons why protecting personal information must be a priority in the workplace:

• Information overload. There’s so much information to manage today – from new information being produced to archival files. A comprehensive document management process will track, cull, and protect all confidential information.
• Data breach risk. The 2016 Cost of a Data Breach Study by Ponemon put the likelihood of a material data breach involving 10,000 lost or stolen records in the next 24 months at 26% for organizations around the world.
• Financial costs. Nearly every U.S. state has a data breach notification law – and fines for non-compliance. Some states have laws allowing individuals to sue organizations that fail to safeguard their private data.
• Consumer opinion. Experian data showed that 42% of consumers believe it is a company’s responsibility to protect consumer data. Plus, 64% of consumers would be discouraged from using an SME’s service following a data breach.
• Reputation. Experian also showed that 57% of British adults can name a business that’s been affected by a data breach; 54% say increased security measures by the organization could help restore confidence.
• Mobile devices. All workplaces are increasingly relying on portable computing devices. Loss or theft of laptops is one of the most common ways that security of corporate data is compromised. Have a specific policy, and use layered protection including encryption software, virus protection, and password protection.
• Information thieves. According to the Privacy Rights Clearing House, there’s outside intrusion (computer hackers, and thieves who physically get into the workplace) but also insider carelessness, errors and wrongdoers. Introduce clear security policies and procedures, and provide on-going employee training.
• Easy picking. Thieves mine garbage bins, in-use and stored computers, and even used copier equipment and printers for valuable personal data. Confidential information has to be completely destroyed when it is no longer needed. Partner with a leading document destruction company that provides destruction services for paper (secure cross-cut shredding) and electronic data (e-media and hard drive destruction). The company should provide a secure chain of custody, on- or off-site shredding and a certificate of destruction after every shred.

A Clean Desk Policy is a simple yet effective way to reduce the risk of a data breach – and to underline the importance of information security.