Main Menu
MENUMENU
  • Home
  • TPG Electronics
  • Solutions
    • Information Technology Solutions
    • Cybersecurity
      • Awareness & Training
      • Cloud Security & Compliance
      • Information Security Consulting
      • Managed Security Operations Services
      • Penetration Testing Services
      • Governance, Risk, and Compliance
      • Risk Management
        • Understand Your Risk
        • Risk Remediation
        • Monitor Your Risk
        • Security Technology Implementation
      • Secure Software Development Life Cycle (SSDLC) Solutions
      • SMB Security
  • Services
    • Audio Design & Installation
    • Lighting Design & Implementation
    • Video Design & Implementation
  • About
    • Core Values
    • Leadership Team
    • Careers
    • Blog
  • Free Consultation
The Penn Group, LLC Columbus Ohio Logo
MENUMENU
  • Home
  • TPG Electronics
  • Solutions
    • Information Technology Solutions
    • Cybersecurity
      • Awareness & Training
      • Cloud Security & Compliance
      • Information Security Consulting
      • Managed Security Operations Services
      • Penetration Testing Services
      • Governance, Risk, and Compliance
      • Risk Management
        • Understand Your Risk
        • Risk Remediation
        • Monitor Your Risk
        • Security Technology Implementation
      • Secure Software Development Life Cycle (SSDLC) Solutions
      • SMB Security
  • Services
    • Audio Design & Installation
    • Lighting Design & Implementation
    • Video Design & Implementation
  • About
    • Core Values
    • Leadership Team
    • Careers
    • Blog
  • Free Consultation
  • Phone (614) 741-5306
  • Email sales@thepenn.group
  • Address 6986 Norton Crossing St. New Albany, Ohio 43054

Data Privacy is a Business Responsibility

Home  ›  Cybersecurity  ›  Data Privacy is a Business Responsibility

Data Privacy is a Business Responsibility

Most people have an inherent expectation of privacy and the protection of their personal information is extremely important to them. In an odd contrast, consumers routinely provide detailed personal and financial information to companies, in order to partake in the many convenient and necessary opportunities for shopping, utilities, banking, and mobile device applications, which today’s super-connected world provides. Consumers freely provide their private and personal information to these companies with an expectation that it will be protected for disclosure or misuse. In fact, this large amount of personal data, which companies ingest to conduct business, does become the company’s responsibility to protect. 

Cyberattacks, such as ransomware, intrusions, and malware, are persistent threats and companies and individuals are targeted continuously. A breach to a company’s data, which results in the disclosure of personal information, is not only embarrassing and problematic to the company brand, it can also likely result in stiff criminal and civil liabilities and penalties for failing to provide adequate protections against such attacks and data loss.

The company must take specific steps to protect the privacy of employees and clients.  Personally Identifiable Information, or PII, that may be collected for security purposes or for account data, must be protected in accordance with state, federal, and international laws and regulations that apply to their businesses.

3 Common Security Mistakes Organizations Make

There are many legalities in place today with the intention of protecting citizens and consumer personal information. There are laws and regulations in place to protect private information and that require organizations to properly secure their data against a breach. Whether your company is looking to protect against corporate espionage, insider threat or hackers looking to steal personal information, it is important you have a full understanding of data privacy, how they apply to your organization, and that you are actively addressing them.

Having a clear understanding of all required and applicable regulatory laws and regulations allows a company to plan and prepare documented policies and implement procedures that will ensure all compliance laws are being met by the organization. The legal team and leadership of an organization must be prepared to keep apprised of recent litigation and new legislation that could have an effect on company policies and procedures. 

A few of most important laws regarding privacy include:

Privacy Act of 1974, governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. Companies must maintain account and tax information on employees for payroll and personnel management purposes. This includes SSNs, addresses, phone numbers, next of kin, and other personal data.

HIPAA. The Federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, requires specific processes and technical mitigations to be in place protect individually identifiable Protected Health Information (PHI) that is held or transferred electronically. HIPAA has two primary rules. The Privacy Rule, which established standards for PHI, and the Security Rule, which operationalizes the Privacy Rule, by establishing a national set of security standards and addressing technical and administrative protections and mitigations to protect individuals’ PHI. In 2009, the HITECH Act provided additional requirements to address privacy and security concerns associated with electronic transmission of health information, which the intention of strengthening the civil and criminal enforcement of the HIPAA rules.

GLBA. For financial institutions, the U.S. Federal Gramm-Leach Bliley Act (GLBA) requires that those companies disclose, to customers, how they protect and share their customer’s data. Additionally, GLBA requires the financial institutions inform customers of their right to opt-out of any data sharing. 

GDPR. For the European Union (EU), and any company with partnerships, vendors, or customers that deal with the EU, the compliance rules of the General Data Protection Regulation (GDPR) must also be followed.

CCPA. California’s Consumer Privacy Act (CCPA) is one of the newest, and broadest, laws to go into effect in the U.S. Taking effect in January of 2020, the CCPA is meant to protect the privacy and personal information of California residents and consumers. CCPA applies to California residents and any for-profit business that does business in the state of California, whether that business resides in California or not. If you collect personal information on California residents, such as may happen with online businesses, this law likely applies to you. The law, in essence, provides the people of California the right to make decisions on how their data is used, shared, or stored. CCPA has many similarities to the EU’s GDPR, including the right to opt-out of any sharing of personal data. Companies that are already under compliance requirements under HIPAA or GLBA are exempt from CCPA requirements.

The proper and thorough risk management must be in place and company security and privacy policies should be in place that address risk mitigation controls and meet any legal obligations or compliance regulations. The company must comply to protect against lawsuits, customer complaints, public relations nightmares, and loss of customer trust. All of these could have a detrimental effect on the profitability, or survivability, of the company.

Additionally, technical, and physical control policies should be put in place to protect data at rest and in transit while in the custody of the organization.

The company must assure that any policy, plan, or procedure is written and implemented in accordance with and designed to maintain compliance with federal, state, and regulatory laws and policies.

A data breach will cause significant damage to the company’s reputation. The trust of company employees, consumers, and partner organizations are in jeopardy. This loss of trust is the reason that 60% of small and medium-sized companies lose their business after a breach that results in the loss of data.

Your company has a responsibility to safeguard customer data, including personal information, just as it does other company data, such as proprietary information and trade secrets. A company’s data, next to its employees, is the organization’s most essential asset. This means that you must protect the data of your employees, your customers, your partners, vendors, and all contacts for which your company does business and that is in your care.

Data Security and Data Privacy.

Data security is focused on the technical processes and tools that IT professionals employ to prevent, deter, or mitigate against cybercriminals and their attempts to access company data and capture a company’s sensitive information. Some of the data that must be protected may be PII, PHI or privacy related, such as credit cards, addresses, phone numbers, social security numbers, or account information.

Data privacy, a subset of data security, is more of a legal and compliance term, describing the laws, regulations and policies that are applied to ensure the proper handling, storing, transmission and use of personal data and to avoid unauthorized disclosure. Data privacy also means that any individual, who has provided personal information to a company, retains control over their own information. 

What can a company do to ensure data privacy?

Data privacy can be accomplished through the implementation of policies and processes that are designed to protect the privacy of data. A company’s data privacy policy and the procedures that are followed are designed to govern the proper collection, storage and use of personal information that the company processes.

To ensure data privacy is maintained, the responsible company will create clear policy that outlines its commitment to privacy protection. This commitment might also be a key line item in the company’s ethics codes. A privacy policy should also include the authorities, laws, and regulations that apply to the organization, and the roles and responsibilities of those that are tasked with the processes and procedures related to privacy and data protection.

Privacy protection should be included in initial and annual cybersecurity awareness training for all employees, to ensure that all understand the importance of data privacy in the company. Privacy policy training will reinforce how everyone can help to protect private information and how to handle any potential breaches or privacy concerns.

A company’s overall privacy policy will also drive the IT staff’s guidelines, processes, and procedures that document, in technical detail, how sensitive and personal data is obtained, how it is stored, and how the company uses it. Most importantly, company Privacy policy must provide technical details for how the company protects the data that is collected, stored, transmitted, and processed. 

If appropriate protections, such as identity management, device management, data loss prevention, or multi-factor authentication, are not implemented, you run the likely risk of a data breach.

At The Penn Group, we can help small companies and organizations with cybersecurity concerns and solutions, such as policy development, risk assessments, privacy protection, security monitoring, workforce training, testing, and incident response. We will break down complex cybersecurity and compliance topics to help your company build a culture of security and privacy in your organization.   

Information Security Consulting

Written by Douglas Stewart – MSIT, CISSP, CEH, PMP

Doug Stewart

Original Artwork by Douglas Stewart

facebookShare on Facebook
TwitterTweet

Post navigation

« 3 Steps to Protecting Yourself From Cybercrime In 2020
3 Common Security Mistakes Organizations Make »

One Comment on “Data Privacy is a Business Responsibility”

Rebecca Gardner

  • Rebecca Gardner
  • February 25, 2021 at 4:22 pm

It was helpful when you explained that the processes of privacy and data protection should be explained in a privacy policy. I just learned that my cousin wants to find work as a data protection officer later this year. Maybe I’ll share this info with him so he can have a better idea of what the process of data protection actually includes!

Reply

Leave a reply

Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Applications

  • Technology Integration
  • Audio Design & Implementation
  • Lighting Design & Implementation
  • Video Design & Implementation
  • Network Design & Engineering
  • Cybersecurity

 

  • Industry Experience
  • House of Worship
  • Enterprise
  • Small Business
  • Non-Profit

Our Commitment To You

You are not a number, but a partner

One of The Penn Group’s core values is Excellence. Our customers deserve our best, and nothing short. We are on a mission to create integrated experiences that just work. We are obsessed with delighting and inspiring through excellence. We bring out best. We develop the best people, and we deliver the best results, anything less is unacceptable.

Austin Harman, President & CEO

We’d Love To Connect With You

Search

Get in Touch

Find Us

Address
6986 Norton Crossing St.
New Albany, Ohio 43230

Hours
Monday—Friday: 9:00AM–5:00PM

The Penn Group, LLC Logo Footer

Unite Your Technology and Beat The Competition

  • Audio Design & Installation
  • Video Design & Implementation
  • Lighting Design & Implementation
  • Information Technology Solutions
  • Free Consultation
  • Contact The Penn Group

© 2022 The Penn Group, LLC.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. The Penn Group does not and will not sale your data. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT