Limit Access Limiting the number of people that can access certain personal data through a company network or system can make it much easier to determine if or when a breach occurred. Businesses should set up layers of access passwords, keys, and firewalls so that access is limited to only those who have a need to access the data for a specific purpose. Limit Data Collected This may seem basic but some businesses collect information that they do not even need. Many businesses continue to collect data because it has “always been done that way.” The Minnesota Health Insurance Exchange (MNsure) experienced some early flak after one of the staff accidentally sent an email file to a broker including the social security numbers of 2,400 insurance agents. The file was not encrypted. Social security numbers and some of the other information contained in the transmitted excel spreadsheet were not even necessary to be collected and stored by the agency. A business should only collect information for which the business has a specific need. For example, why ask for the social security number from a person if you have no need for it? This collection and storage of unnecessary personal information is only an invitation for potential liability. Remote Access Cloud computing and the expanded ability for employees to access information remotely through laptops, tablets, smartphones, and other mobile devices requires that more attention be paid to building security walls around data that should not be accessed by every user. More and more businesses are allowing employees to use their own personal devices for both personal and business use. In such cases, the business might consider implementing an appropriate Bring Your Own Device (BYOD) policy to make sure that data privacy and security issues are covered. 171
Made with FlippingBook - Online Brochure Maker