December 19, 2009
by Wilma Colon-Ariza
Businesses, small and large, have to deal with workplace information protection and privacy to some extent. The degree, to which these businesses and their management protect their confidential information including employee and client personal information, depends largely on a) their self-interest, b) the regulated environment in which they operate and must comply with, and c) their desire for good business practice.
Self Interest
Many businesses have trade secrets, which if stolen can provide competitive disadvantage and either end their business life, or if they’re lucky, just vanish their expansion and growth aspirations simply put. Therefore, they must protect that business confidential information at any price or they’ll disappear in no time.
Businesses spy on each other all the time for valuable trade secrets to help them gain competitive advantage over whether it’s the launch of a new product and service or improvement of existing processes to increase efficiency, productivity and client base. Each business must determine what information is important to them and place security controls around them to secure their business viability and future growth. This is what I mean by “self interest”, protecting something that’s important.
Other areas of self interest are financial fraud and to a lesser degree management attachment to the information protection field as certain key management members may be more security conscious than others, possibly due to their past professions and experiences, and therefore place importance on workplace information protection.
Regulations
Some businesses, depending on the nature of their business and industries in which they operate, have been scrutinized for many years and continue to be heavily regulated by the government such as financial institutions and healthcare companies. Businesses spend a lot of money just to keep up and comply with such regulations.
Although, we can always debate over the usefulness of these laws and whether they’re worth the cost companies have to pay in order to comply, there is no doubt that following many of the business scandals and loss of public confidence, the government had to do something to prevent another corporate financial disaster that wipes out people’s retirement accounts, or another personal data leak that leads to mass identity theft and identity fraud.
In my opinion, these laws, to some extent, help improve the corporate security controls by raising awareness, visibility, authority and oversight, and ensure confidentiality, integrity and availability of personal and financial data, but we need a national law, similar to the European Data Protection Directive, to address the corporate security issues in a consistent manner.
There are simply too many laws floating around, at the federal and state level, overlapping each other, which if consolidated can address most of the risks in a consistent manner. Right now, the laws are too scattered, and may or may not apply to certain industries or even address all workplace information protection risks. Below are a few of the laws that companies have to comply with:
The Gramm Leach Bliley Act or GLBA was created to modernize the financial institutions’ privacy law. In general GLBA relates to a “best practices” protection for an individuals’ banking statements, social security number, credit card numbers, tax information or other personally identifiable information (PII).
Health Insurance Portability and Accountability Act or HIPAA, which applies to practically all healthcare plans and providers, required improved efficiency in healthcare delivery by standardizing Electronic Data Interchange, and protection of confidentiality and security of health data through setting and enforcing standards.
The Sarbanes-Oxley Act was signed into law in 2002 to improve corporate governance and ensure integrity of financial data. It introduced stringent new rules to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.
The details behind some of these laws and others that impact identity theft and information security can be found in the identity theft laws section of a number of regulatory government websites [See Links and Useful Resources on our blog sidebar]. These regulations often require establishment of many security components such as policies, procedures, standards, and an executive security position for managing workplace information protection risks among others.
Good Business
Having adequate workplace information protection controls just makes good business sense and not only can it save money spent on endless investigations, public relations, consumer notification and recovery of lost data, but can also build consumer confidence. Would it not make sense to secure the online transactions and protect the business and client information at the same time?
Consumers are more reluctant to do business online as news of data leaks continue to emerge in the business sections of major newspapers almost weekly, but, would be more inclined to trust doing business online if businesses were able to buy their confidence back through their actions.
In future blog posts we will explore in detail 1) the scope of the information that needs protection, 2) the nature of the information to be protected, 3) rational for and extent of data protection, and 4) strategies for managing workplace information protection.
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.
About the Author: Wilma Colon Ariza is a Certified Identity Theft Risk Management Specialist (CITRMS), Certified HIPAA Security Specialist (CHSS), Certified Security Compliance Specialist (CSCS), Business and Employee Data Security and Privacy Law Compliance Consultant offering Federal and State ID Theft Law Workshops and Seminars. Member in good standing of The National Association of Professional Women [NAPW] and The League of United Latin American Citizens [LULAC]. She is an active Identity Theft Victims Rights Advocate, Public Speaker and Blogger.
[Ms. Ariza is a former Prepaid Legal Services Inc., Independent Associate]
28.542000
-81.374000
Subscriber Comments