A Little Privacy, Please?
Just when we all got comfortable talking about information security, along comes a whole lot of talk about data privacy to complicate things. Even though the two terms are sometimes used interchangeably they’re not the same concept, although definitely closely tied to one another. One way to think about the two concepts is to think of one as externally focused while the other is internally focused.
Information security is all about protecting information from folks who shouldn’t get their hands – or eyes – on it. We put firewalls in place, we educate employees about the dangers of phishing and how to spot a phishing attempt. We’re trying to keep folks from outside our firm from accessing information we have in our possession and on our systems.
But data privacy can be just as challenging. Once we have information inside our walls and on our computers, what are we doing to ensure that the information is available only to those who have a need to access it…and ensuring that it’s used only for its intended purposes? Tools like ethical walls that limit visibility of information in shared repositories, role- and team-based permission management, and even restricted access to war rooms and case files are all part of ensuring data privacy.
Another commonly overlooked way that firms can help shore up their data privacy efforts: distribution list use and management.The “need to know” idea is often one that falls by the way side when information is sent via email. A wide net of recipients is easy to cast by simply dropping in a quick distribution list. Most folks never take a moment to expand their lists to check to see exactly who is getting the messages sent to the group. Just because a case distribution list includes 25 people doesn’t mean we should send this sensitive information to all 25 people… Who truly has a need to know?
Data privacy can also be complicated by the desire for conveniences like BYOD. When I bring my own device and connect it to our firm resources, where is the line between “my” data and the data the firm has purview over? While some firms’ policies address this tricky question, most don’t and often the question isn’t answered until it has to be due to circumstances.
A key element in any security or privacy effort is educating those who are the front lines of handling our information. We must focus on information security that protects our data from the outside world and ensure smart data privacy measures inside our firms are creating good data stewards who only share the information that must be shared with those who need to have it.
Helping employees understand why data privacy is of the utmost importance to our clients, and what the law says our obligations are around data privacy is critical. When our employees understand that there’s more to protecting information than simply the tools our IT teams provide, then we can begin to explore more best practices around data privacy as well.
As part of our efforts to help every firm protect information from outside threats as well as internal missteps, we’ll be incorporating more data privacy best practices, and the role every firm employee plays in those efforts, to our award-winning OnGuard™ Information Security Awareness Program. When you’re OnGuard™, every day is Data Privacy Day.