Target Corp's data breach has been big news this holiday season, with as many as 40 million holiday shoppers across the nation exposed to potential credit and debit card fraud. According to the Identity Theft Resource Center, which tracks U.S. data breaches, the Target breach was one of over 600 data breaches in 2013. In our increasingly digital world, data breaches are a growing risk with many potential causes, including system failures, human error, employee misconduct, or outside theft.
- Appoint an employee to be in charge of overseeing and coordinating the company's information security efforts for sensitive employee and customer information stored in hard copy or electronic form.
- Have each company department that handles sensitive employee or customer information work with the company's information security coordinator to: (i) conduct and document an inventory of the type of sensitive information handled by that department; (ii) assess potential internal and external data security risks; (iii) develop and document information security safeguards for addressing these risks; and (iv) communicate and train department employees on these safeguards.
- Limit access to sensitive employee or customer data to only those employees whose position requires access to the data and prohibit other employees from engaging in unauthorized access, use, or disclosure of the data.
- Ensure that hard copy records are stored in secured, locked locations and that only authorized personnel have keys to the locked areas.
- Ensure that the company has appropriate technology safeguards in place to secure electronic data from unauthorized access and to limit access to only authorized employees.
- Consider encrypting data when it is transmitted electronically over networks or stored on-line.
- Require employees to use unique, secure password-activated screensavers on computers and any personal devices used for work purposes and to regularly change passwords.
- Ensure that the company has a method for carefully selecting and only hiring third party vendors/contractors capable of securing confidential data and that third party contracts contain language requiring the third party to safeguard the data.
- Regularly train employees on information security measures and requirements.
- Ensure that the company has an effective system in place for obtaining hard copy and electronic data back from departing employees or third party vendors/contractors when their relationship with the company ends.
- Require employees and third party vendors/contractors to promptly report any potential data security breach to the company.
- Adopt a data breach response plan in advance so that the company is prepared to promptly and appropriately address any data breach that does occur.
- Conduct periodic tests and audits of security measures and make adjustments as appropriate.
- Partner
Megan Anderson is an MSBA-certified employment and labor law specialist and proactively partners with businesses, non-profit organizations, and higher education institutions to ensure employment law compliance and prevent ...
The information contained in this post is provided to alert you to legal developments and should not be considered legal advice. It is not intended to and does not create an attorney-client relationship. Specific questions about how this information affects your particular situation should be addressed to one of the individuals listed. No representations or warranties are made with respect to this information, including, without limitation, as to its completeness, timeliness, or accuracy, and Lathrop GPM shall not be liable for any decision made in connection with the information. The choice of a lawyer is an important decision and should not be based solely on advertisements.