Data privacy, security laws have far-reaching impact

By Bart Lazar, CIO.com |  Security, privacy, regulation

  • Designate one or more employees to maintain the security program.
  • Identify and assess the internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information.
  • Evaluate current safeguards and means for detecting and preventing security system failures.
  • Implement and evaluate ongoing employee training (which must include temporary and contract employees).
  • Implement and evaluate employee compliance with policies and procedures.
  • Develop security policies that set forth whether and how employees should be allowed to keep, access, and transport records containing personal information outside of business premises.
  • Discipline employees for violating program rules.
  • Prevent terminated employees from accessing records containing personal information by immediately terminating access.
  • Take reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information, including:
    • Selecting and retaining service providers that are capable of maintaining safeguards for personal information (i.e., conducting due diligence)
    • Contractually requiring service providers to maintain a security program that complies with the Standards
    • Limiting the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected; limiting the time such information is retained to that reasonably necessary to accomplish such purpose; and limiting access to those persons who are reasonably required to know such information in order to accomplish such purpose or to comply with legal requirements
  • Require an audit/inventory to identify paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information, unless the security program provides for the handling of all records as if they all contained personal information.
  • Implement reasonable restrictions upon physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted; and storage of such records and data in locked facilities, storage areas, or containers.
  • Regularly monitor to ensure that the security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrade information safeguards as necessary to limit risks.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness