On Jan. 28, companies around the world will recognize Data Privacy Day 2012, an annual international celebration designed to promote awareness about best privacy practices. Aon Risk Solutions, the global risk management business of Aon Corporation (NYSE: AON), encourages companies to use Data Privacy Day as an opportunity to assess network risk practices and identify where improvement may be needed.
"New risks, illustrated by the Carrier IQ mobile device privacy controversy, Zappos and Amazon's 24 million records breached, Sony's 100 million records breached and recent hacktivist attacks, are emerging faster than most policies and IT departments can keep up," said Kevin Kalinich, global practice leader of cyber insurance for Aon Risk Solutions. "Organizations that think their network could never be a penetrable target need to think again."
Companies must focus on data privacy risk mitigation practices and become familiar with their cyber risk insurance policy to ensurea financial backstop is in place when - not if - a data breach occurs.
"It is important to understand that data privacy compliance starts with your data. The organization needs to know where its information is located, transferred and how it is accessed," added Adam Nelson, chief privacy counsel for Aon Corporation.
In October 2011, the U.S. Securities and Exchange Commission introduced guidelines that call for public organizations to disclose cyber incidents and whether cyber insurance is purchased. While organizations do not legally have to disclose this information, plaintiffs' attorneys are likely to use the SEC guidelines as a threshold liability standard.
"Additional implications of these guidelines remain an unknown," Kalinich added. "If an organization does not disclose its cyber incidents, it may face fines from the SEC and open the door to increased shareholder lawsuits for not properly disclosing or assessing the risk of an attack. We may also see a time when credit rating agencies take cyber security exposures into account when evaluating a company – just as Standard & Poor's has done with enterprise risk management."
According to Aon, there are five important steps companies must consider taking to safeguard data:
1. Understand your obligations under law and applicable standards – Keep educated and aware of local, state, federal and foreign regulations, as they are constantly evolving.
2. Assemble a data security team and assess your data - In addition to determining the type and amount of personal data maintained, it is important to identify how data is collected, stored, used and transmitted as well as understand potential threats to the company's security (e.g. third-party vendors, such as cloud computing service providers).
3. Develop data protection, privacy policies and procedures - The data security team should review existing policies and make them consistent with industry best practices. Social networking sites and related blogs pose new threats that must be considered.
4. Control hardware and software - Laptops, PDAs and other mobile devices present additional challenges. A data breach prevention program must assess and control exposures related to hardware and software used by company personnel.
5. Review contracts - Update and negotiate services agreements to ensure privacy and security protections are embedded within the company's relationships.
Data Privacy Day began in January 2008 as an extension of Data Protection Day, celebrated in Europe. Among its many goals, Data Privacy Day promotes privacy awareness and education among businesses and consumers, focusing on privacy issues raised by the use of social networking sites, cloud computing, smartphones and other mobile devices as well as encouraging users to comply with existing privacy laws and regulations.
|