A Business Owner’s Duty to Protect Sensitive Company Data
By Paul Peterson, Managing Partner, Wiss & Co. LLP
No two companies are the same in culture, work environment or the vulnerabilities inherent in their digital landscape. This makes it very difficult to implement a standard way of protecting workers and customers from external data threats to their privacy and security.
But nothing is more important to your company’s credibility and positive relationships with customers and employees than safeguarding their sensitive data. After all, you’ve seen the economic and reputational damage done to companies ranging from Target to Sony Picture Studios for data breaches that could have been avoided.
You can start addressing potential issues with an honest assessment and a three-step evaluation and action plan.
- Identify your worst-case scenario. Threat levels can vary dramatically based on company profile. But even if you don’t think your company is dealing with sensitive data, you still may have access to the banking, health care and performance records of employees.
Start a threat assessment by compiling a picture of the worst danger a data breach might pose. Would you have enraged clients or embarrassed patients? Could your company be humiliated by a release of private communications? (Think Sony Studios.) Would you be facing a public relations nightmare? With a clear risk assessment, you’ll know just how seriously you must take the situation and how quickly you must act.
- Determine who’s in charge. The ultimate responsibility and action plan have to start from the top. Do you have the right people safeguarding your sensitive data? Do you have an adequate defense? The issue is too important for the IT people to be the only party saddled with the task of protecting your digital privacy and security. The leadership team needs to be involved.
- Address risks. You may need to partner with third-party experts who know how to assess your threat level, install and test system security measures and further mitigate risk through employee education. For instance, all of your people should understand the importance of only accessing the company network with external hard drives (thumb drives) that have been encrypted. A written policy statement ensures everyone knows the policies, rules and regulations that will keep your data safe and your employees, customers and company reputation protected.
As a Managing Partner at Wiss & Co. LLP, Paul Peterson oversees firm operations including data security and advises clients on various business issues. Reach him at firstname.lastname@example.org.