In our last CyberTip, we discussed the need for every employer to have its own customized cybersecurity policy. And, as we stated, a robust policy depends first on knowing what confidential information the company possesses, and where it exists.
As an initial matter, then, consider that one or more laws give individuals certain privacy rights in these types of information:
- Social security numbers
- Taxpayer ID numbers
- Driver's license numbers
- Passport numbers
- Bank account numbers
- Credit/Debit card numbers
- PIN numbers
- Email names or addresses
- Internet account numbers/ID names
- Digital signatures
- Biometric data
- Parent's legal surname prior to marriage
- Credit reports
- Criminal background checks
- Drug tests
- Medical records
- Student education records
- Information shared with financial institutions
TIP: Cybersecurity starts with knowing what personal and confidential information your company possesses and where it is found. Perform a full inventory as part of developing the culture of cybersecurity that will minimize risks of exposure.
Personnel files, accounting information, and customer records are obvious places where this kind of information resides, but it is also located in the nooks and crannies of various electronic records throughout many businesses. A strong cybersecurity team should include representatives from enough corners of the organization to allow the company to identify exactly what confidential data it has.
Separate from such data on people, a business also has its own confidential information to protect. Laws do not prevent a company from revealing this kind of information about itself; rather, this is confidential business information, sometimes a trade secret, that a company seeks to protect for its own competitive advantages. This kind of information can include, as just a few examples, special needs of customers, purchasing histories, terms of customers' business relationships, pricing and marketing strategies, non-public financial records, proprietary software programs, product development information, and information entrusted to a company by vendors and business partners on the expectation that the Company will keep it confidential.
It sounds too simple to say that you cannot know what you have to protect until you know what you have. The simplest steps in any process, though, are often the ones that are skipped, and there is no substitute for careful analysis of where personal identifying information is held and where confidential company data exists. Only then can a culture of security take root in the right places.