Protecting Your Company's Data from Security Breaches

Know What Data Your Organization Has, Where That Data Goes and Where It Originated

It is important for counsel to understand the nature and scope of sensitive data that its organization uses in the course of its business, and how this data flows through the business. Significant obligations may be imposed on your entity based on the type and nature of data, and how that data is used in the business. Counsel's inquiry should cover not only the company's own data, but also data that the company handles on behalf of third parties (customers and vendors). Certain information can give rise to statutory or regulatory obligations that may require heightened security procedures, such as healthcare or financial information. Other information may trigger audit concerns for the entity or its clients: Just as important as understanding the scope and nature of the data is understanding how your entity came to possess the data and what happens to that data while in your entity's control. Counsel needs to evaluate how the data was collected as certain disclosures may need to be made at the point of collection, or certain contractual obligations may need to be imposed on agents that interact with the data. Next, it is important to understand the lifecycle of the data within your organization. Where is it stored and how is it secured? Is it ever processed or transmitted and, if so, what protections are taken during those steps? Is it ever transmitted across international borders? If the data is subject to regulation, are those requirements being met? Finally, counsel must understand how data is disposed of once it is no longer useful. Are contractual and regulatory obligations being met? Does the handling of the data comply with the organization's retention policy? With a full understanding of the data's path through your entity, you will be better able to protect the data on a day-to-day basis.