1 / 25


SMALL BUSINESSES. PRIVACY CONSIDERATIONS. February 2013. How Privacy Impacts Your Business. Legislative Technological Trust. Two Primary Considerations. Potential and Current Employees. Initial Considerations Does your company run background checks on potential employees?

Download Presentation


An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript


  2. How Privacy Impacts Your Business • Legislative • Technological • Trust

  3. Two Primary Considerations

  4. Potential and Current Employees Initial Considerations • Does your company run background checks on potential employees? • Does your company monitor employee use of email and/or other employee online activity at work? • Does your company permit or encourage employee use of personally-owned devices (e.g., smartphones, tablet computers, laptops) in the company network or to conduct company business? • Does your company train employees on various privacy and security issues?

  5. Background Checks

  6. Fair Credit Reporting Act (“FCRA”)

  7. Policies

  8. Employee Monitoring

  9. Bring Your Own Devices

  10. Cloud Computing

  11. Employee Training

  12. Customers Initial Considerations • Does your company collect customer information? • What types? • Financial • Health • Does your company have policies in place about what your company does with customer information? • How does your company store customer information (both physically and electronically)? • How long does your company need customer information? • How does your company dispose of customer information? • Does your company collect information from children?

  13. Policies

  14. Email

  15. Mobile Apps

  16. Third-Parties

  17. Law Enforcement

  18. Strategic v. Operational

  19. In Summary • What is private information? • The Five Pillars of Privacy. • Small businesses have obligations to protect the privacy of: • Potential and Current Employees; and • Customers. • Breach: • What can happen to your company? • How should you protect your company?

  20. Call to Action

  21. Appendix A – Document Destruction • “Company shall retain records for the period of their immediate or current use, unless longer retention is required by law or to comply with contractual requirements. Such records outlined in this policy include, but are not limited to: paper, electronic files, and voicemail records regardless of where the document is stored, including network servers, desktop or laptop computers and handheld computers and other wireless devices or telephones with text messaging and/or instant messaging capabilities. Hardcopy documents will be destroyed by shredding according to the document retention schedule. Electronic copies will be destroyed by proven means to destroy such data according to the document retention schedule.” • Helpful resources • FTC Disposal Rule: http://www.ftc.gov/os/2004/11/041118disposalfrn.pdf • FTC: http://business.ftc.gov/documents/alt152-disposing-consumer-report-information-new-rule-tells-how • The Watershed Institute: http://www.thewatershedinstitute.org/resources/publications/FinalDocPolicy.pdf

  22. Appendix B – Security • Helpful resources • SANS Institute – www.sans.org • This website contains a number of sample security policies, including for computers, emails, HIPAA, mobile and wireless. • View a primer on developing security policies: http://www.sans.org/security-resources/policies/Policy_Primer.pdf • InfoSec Reading Room: http://www.sans.org/reading_room/whitepapers/awareness/ultimate-defense-depth-security-awareness-company_395

  23. Appendix C – BYOD Policy Considerations • It is important for your company to create a BYOD policy before allowing any employee to BYOD. • For more information: http://www.citrix.com/site/resources/dynamic/additional/byod_best_practices.pdf. • Policies should include: • Employee responsibilities for devices; • Eligibility requirements and limitations for devices; • Limiting applications and/or data access; • Reservation of the right to wipe company data and/or the entire device; • A disclaimer of any liability of loss of personal applications or data; • Any other restrictions including but not limited to the use of browsers, wireless or other services; • Payment for the devices. • Security policy considerations include: • Require use of whole device password and/or requirements for when passwords must be changed; • The process for handling lost/stolen devices; • Timeline requirements for reporting lost/stolen devices; • Enforcement of password and other security measures; • Repair and/or upgrade of devices; • Requirement to install software.

  24. Appendix D – Privacy • Helpful resources • FTC: • http://www.ftc.gov/opa/2012/03/privacyframework.shtm • http://www.ftc.gov/privacy/coppafaqs.shtm • http://business.ftc.gov/documents/bus55-getting-noticed-writing-effective-financial-privacy-notices • Video: http://business.ftc.gov/privacy-and-security • For mobile app developers visit: https://www.cdt.org/report/best-practices-mobile-applications-developers

  25. Additional Resources • Illinois’s Personal Information Protection Act (815 ILCS 530/1): http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapterID=67. • Illinois’s Right to Privacy in the Workplace Act (820 ILCS 55/): http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2398&ChapterID=68. • Information Security and Security Breach Notification Guidance by the Illinois Attorney General’s Office: http://illinoisattorneygeneral.gov/consumers/Security_Breach_Notification_Guideance.pdf. • Driver’s Privacy Protection Act (18 U.S.C. 2721-2725): http://www.accessreports.com/statutes/DPPA1.htm. • The PrivacyAct and The Freedom of Information Act: http://www.ssa.gov/privacyact.htm. • Federal Communications CommissionCyber Security Planning Guide: http://transition.fcc.gov/cyber/cyberplanner.pdf. • Cloud Computing and Privacy: http://www.aicpa.org/interestareas/informationtechnology/resources/privacy/pages/cloudcomputingandprivacy.aspx; http://www.truste.com/products-and-services/enterprise-privacy/TRUSTed-cloud.

More Related