Data security impacts all of us, whether we are shopping, returning to school or filing our taxes. This week, news broke about the theft of 4.2 million debit and credit card numbers from a grocery store chain in the U.S. Also this week, Associated Press published an article about a hacker who accessed as many as 10,000 student records including 6,600 social security numbers.
As consumers, these events are alarming. As employees and employers, these events spur us into action. Nearly every individual contributes in some way to protecting sensitive client information while at work. A quick perusal of the website for The Privacy Rights Clearinghouse – a nonprofit consumer information and advocacy organization – shows that data breaches can result from employee error, improper planning, technical glitches or a lack of policy.
To protect data, organizations often use a wide array of physical and technological barriers, policies or procedures. The common denominator for all preventative measures, however, is that they be implemented properly by the responsible individuals. Consequently, performance management plays an important role in corporate and data security. Performance management processes communicate expectations, clarify individual responsibilities, link individual actions to a greater outcome, identify training needs and pinpoint those individuals who are effectively carrying out expectations and those who are not.
Recommendations about how to protect data are available on both the Privacy Rights Clearinghouse website and the U.S. Better Business Bureau website. But the bottom line may rest – as an article by Ian Harvey of The Globe and Mail suggests – with “people process and technology.” Regular communication is paramount. Luis Navarro asserts in Talent Management magazine that the components of an effective “security awareness program” include “continuous training, communication and reinforcement.” Some studies confirm the need for these efforts. Scott Leibs wrote in a 2007 CFO article about a University of Washington study of 600 incidents that showed approximately 60% of compromised data resulted from employee action and usually involved a mistake. In addition, 56% of organizations that participated in a 2006 InfoWorld Security Survey claimed that employees often neglected to follow company security policies.
The Privacy Rights Clearinghouse article Prevent Identify Theft with Responsible Information-Handling Practices in the Workplace contains the following suggestions: “adopt a comprehensive privacy policy,” collect only necessary data, limit access to data, encrypt sensitive data and ensure proper handling of mobile devices. Other recommendations in the article relate to ensuring proper disposal of records and computer equipment containing data and developing a “crisis management plan.”
To make sure that proper data protection becomes a part of day-to-day practice, expectations must be included in employee performance and development planning, goal setting, performance evaluation and –if possible – be be linked to rewards.
References:
“Credit card data stolen from supermarket chain.” Reuters. March 17, 2008.
Goodin, Dan. “2006 InfoWorld Security Survey: IT’s Confidence Crisis.” Infoworld Online, October 30, 2006.
“Harvard Says Hacker Broke into System.” The Bellingham Herald [Associated Press] [TheBellinghamHerald.com]. March 18, 2008.
Harvey, Ian. “For a long time our industry focused on using technology to solve all our problems. And really, it’s people process and technology.” Globe and Mail, print edition, November 27, 2007, pp. 44.
Leibs, Scott. “Insider Raiding.” CFO, May 2007, p. 20.
Navarro, Luis. “Security-Savvy Workforce: Designing a Security Awareness Program That Works.” Talent Management, December 2007, pp. 44-46.
Privacy Rights Clearinghouse. Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace [www.privacyrights.org]. Obtained March 18, 2008.
U.S. Better Business Bureau. “FTC Guide for Business: Protecting Personal Information” [www.usbbb.org].
