Follow these five guidelines to keep your organization's data protected.

John Brenberg & Rebecca Herold, Information Security & Compliance Manager at 3M and Founder/CEO of The Privacy Professor; Co-Founder/ President of SIMBUS360

December 12, 2017

5 Min Read

Your brand can be one of your company's most valuable assets. It can command premium prices, customer loyalty, a faster sales cycle, and an overall healthier bottom line. But unfortunately, even the strongest brands can have difficulty withstanding the impact of a data breach.

Consider that the average cost of a single data breach is $3.62 million. On top of this, data breach incidents reportedly cause 65% of individuals to lose trust in the organization experiencing it. This loss of customer trust may take years to recover, if it even can do that at all.

Addressing Privacy Law Variations
In response, organizations have stepped up their efforts to help protect data privacy. While this must be an ongoing business priority, it is far from simple, bearing in mind the trove of personal data that organizations collect and the range of privacy laws that exist to protect it.

Privacy laws vary from country to country — and even state to state, with 52 US state and territory breach laws in effect. The Alaska Personal Information Protection Act, for example, protects personal information in all verbal, electronic, physical, and visual forms. Then there are industry-specific regulations to consider, such as the Health Insurance Portability and Accountability Act, which safeguards medical information, and the Federal Information Security Management Act, which protects government information.

There are also age-specific regulations, such as the Children's Online Privacy Protection Act, that address the unique rights of individuals under the age of 13. And there's the European Union's General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, and requires organizations worldwide to implement comprehensive data protection programs that govern how they control and process personal data of individuals in, and citizens of, the EU.

January 28 is Data Privacy Day. Use this day as an opportunity to educate your colleagues on best practices to help safeguard data privacy. These five tips can help protect your company's brand and, more importantly, your customers' and workers' data privacy.

1. Understand what constitutes a data breach. A data breach is an incident in which sensitive, protected, or confidential personal data potentially has been viewed, stolen, or used by an individual unauthorized to do so. This can include sensitive information discussed in a doctor's office, viewed on someone's laptop screen, hacked from a computer, or perhaps left on the printer. It could involve thousands of records, or just one. Depending on the regulation, it could involve identifiers, such as a name or identification number. Or it could be images of individuals, in photos or videos. It also could be data revealing racial or ethnic origin, political opinions, religion, trade-union membership, genetic data, health information, personal preferences, and so on.

2. Be aware of your surroundings. Workers should be trained to always be aware of their surroundings. Employees frequently use mobile devices to access and share data, often in full view of others. There's increased risk of data exposure inside the office too. Open-office floor plans remove physical barriers that in the past helped shield computer screens. Those who work in public spaces and in heavy-traffic areas like emergency departments, public lobbies, government offices, and guest-service desks should know to look for suspicious behaviors, such as identifying a visitor who is pointing a smartphone toward a computer screen.

3. Deploy layers of protection to avoid breaches. Add layers of protection as part of a defense-in-depth security approach. This often involves perimeter technologies, such as firewalls, data encryption, and two-factor authentication. Using privacy filters can help protect sensitive data displayed on computer and device screens by blocking unauthorized side views. Other important protection measures include implementing clean-desk policies, using password-protected screensavers, and requiring that sensitive information be printed and stored in locked areas, and then finely shredded when disposed. Regular assessments can help identify vulnerabilities in these areas, as well as other gaps, such as poorly trained employees.

4. Collect only what you need. In the spirit of improving the buying experience, many organizations are collecting an increasing amount of personal information about their customers. They are asking for birthdays, ages of children, etc. Collecting this level of information requires organizations to be aware of privacy laws, such as the GDPR, that are very stringent in how personal information is used. As a best practice, organizations should proactively identify and collect only the personal information necessary for their intended purposes, for a period strictly necessary (minimization principle), and they should ensure that personal data will not be made accessible to an indefinite number of people.

5. Be ready to respond quickly. Have a documented breach response plan that details roles, responsibilities, and processes. Schedule regular training exercises to help ensure your organization's incident response and breach notification policies and plans will work. Conduct tests to see if employees know who to alert if their device is compromised or they become aware of a data breach. Make sure you have the forensics in place so you can quickly communicate what happened and what the company is going to do about it.

Together, these five tips can help safeguard data privacy, build customer trust, and protect your company's brand.

Related Content:

About the Author(s)

John Brenberg & Rebecca Herold

Information Security & Compliance Manager at 3M and Founder/CEO of The Privacy Professor; Co-Founder/ President of SIMBUS360

John Brenberg has over 30 years of experience spanning new product introduction, system development, infrastructure management and information security and compliance across multiple business segments and processes. He is responsible for leading the IT programs for information security, compliance and risk, all for the protection of company and customer information and critical business processes. Brenberg credits his success to his many strong internal partnerships across intellectual property, privacy, compliance and systems management.

Rebecca Herold (FIP, CISSP, CISA, CISM, CIPT, CIPM, CIPP/US, FLMI) is CEO and founder of The Privacy Professor consultancy, established in 2004. She is also co-founder and president of SIMBUS, LLC, an information security, privacy, technology and compliance management cloud service for organizations of all sizes, in all industries, in all locations, founded in 2014.

She also acts as a privacy consultant for 3M and receives compensation from 3M in connection with her participation as a 3M Privacy Consultant.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights