In my last post, I shared five tests to evaluate partners on data security and privacy. Continuing on that theme, this post highlights best practices for companies of all sizes in all industries to protect their own client data.
The recent Wells Fargo breach was the result of human error. It was also an indicator of poor business practices coupled with ineffective security education. Its possible the breach could have been prevented had the following best practices been followed.
- Comprehensive employee information security and privacy training programs. Effective training for all employees who have any type of access to any form of personal data is critical. Properly trained employees know they should not send large amounts of data like we saw in the Wells Fargo incident, but only the specific data items necessary. This is called the minimum necessary privacy principle. It has existed for decades and has been established in multiple laws and regulations over the past 25 to 35 years.
- Thorough policies and procedures for handling and transmitting personal data. Companies need to have well-documented and easily accessible security and privacy policies. These policies should cover things like sensitivity levels, sharing, use, storage and encryption procedures, what to do when an incident occurs and much more.
- Enforcement of security and privacy policies. Even the best policies and procedures are worthless if they arent followed or enforced. To knowingly circumvent information security and privacy policies and procedures demonstrates negligence on the part of business leaders.
- E-discovery processes for protecting client data. Every type of organization, and certainly large financial organizations in particular, should have e-discovery policies and procedures that are synced with their data security policies and procedures. Every staff member with e-discovery action responsibilities needs to know and understand these policies and procedures. It should be a standard to only send the specific data requested for e-discovery requests, following data security standards.
- Vendor and third-party management oversight. It is increasingly required by regulations and laws to have contracted third parties, including law firms and other types of advisors, follow the same legal requirements as their clients. The Wells Fargo incident is a clear example of why this cant be overlooked.