Ensuring Compliance: Information Types Your Organization Should Be Concerned About

By Matthew Bretzius posted 07-24-2013 14:43


This is a guest post by Dana Simberkoff, AvePoint Vice President of Risk Management & Compliance.

(Note: This is part of our series “Collaborate with Confidence”. Previous posts: Assessing Risk: Is Your Compliance Plan up to the Test?)

Information placed on the internet and available publicly or within enterprise collaboration systems can be used in unintended ways regardless of the original intent. This is true for public sector organizations, businesses, and individuals. All enterprise organizations collect and manage sensitive information from many sources – their own employees, customers, vendors, business partners or other businesses, government agencies, and even competitors. This sensitive information can include:

  • personal information: birthdate, address, social security number, race
  • medical information: medical history, allergies, patient health records, insurance information
  • financial information: employment records, tax information, bank accounts

These types of company, customer, or employee sensitive security information, logistical information, financial information, or even an improper address or phone number, may create privacy and/or security threats that could be exploited by a third party.

Mishandling sensitive information can create unintended consequences that could carry civil or criminal penalties and fines, monetary damages, and even potential national security risks. Regulated industries such as healthcare, finance, public sector, oil and gas, or publically traded companies may face significant regulatory and statutory penalties for inappropriate or inadequate controls that lead to a breach. Compounding these risks, modern search engine technology can aggregate, analyze, and construct new levels of understanding from unclassified sources.

Beyond the release of information, organizations may also have problems stemming from the release of inappropriate communications that could expose your organization to civil action. The possible risks, consequences, and penalties are in many cases specific to your state, country, and political region, or even down to local city or county regulations.

It goes without stating that companies must be vigilant in designing both privacy and security protections into their design and quality assurance practices. However, outside of protecting systems from the “bad guys” that could steal your information, companies have an additional obligation to behave as good corporate citizens. This includes not only protecting the information of their customers, but also communicating clearly with them about how they will use, store, and protect customer information.

Around the world, regulators have taken the stance that “giving is not the same as taking”. In other words, just because a consumer gives you their private information, that does not mean that the company has a right to then take that information and use it any way they see fit. Rather, companies have an obligation to clearly communicate what they will do with private information provided to them, and if they change those practices, they must notify consumers and provide them with the ability to choose to participate or not to do so.

Enterprise organizations must be vigilant in creating policies, training programs, and automated controls to prevent and monitor appropriate access, use, and protection of sensitive data, whether they are regulated or not. Doing so will not only mitigate the risk of regulatory and statutory penalties and consequences, but will also go far in preventing an unnecessary erosion of employee or consumer confidence in the organization as the result of a breach or the loss of sensitive data.

#RiskManagement #Collaboration #Collaboration #sharepoint #SharePoint #compliance #DataSecurity