Fill out the form below for a free intiial consultation and to get started with Terkanian Law:
IT Security Regulations and Compliance
Information security breaches can affect any size business. You have to be prepared to fight against hacking attempts, and other unauthorized access to business and personally identifiable information stored on your network. Your employees need to know, inside and out, your policies regarding protecting company data from inadvertent exposure. Additionally, depending on your business, you may be subject to information security regulations without even knowing it.
The government has mandated IT regulations and compliance rules to help keep the damage from a data breach to a minimal – assuming they are followed properly. For example, if you accept credit cards, are you aware of the PCI compliance laws for payment security? What about your customer’s personal data – are you storing it in a database, and if so, what level of encryption are you using?
Your company’s data security policy must take into account several aspects to ensure you’re doing your due diligence to keep data safe, and Terkanian Law can help. The following considerations are a good start:
Data Privacy. Your customers expect – if not demand – that you keep their data safe. The best way to accomplish this is to have policies in place that only expose customer data as needed. For example, an employee who only needs to ship products to a customer likely has no need to access their billing data or social security number. By keeping data privileged, you’re helping to keep your customer’s safe.
Company Internet Access. Employees surf the web; that’s just a fact of life. Generally, there’s no harm in allowing an employee to take 5 or 10 minutes to “unwind” by checking Facebook. However, you need to have policies in place on what sites can – and more importantly, cannot – be visited. Your Internet Use Policy should have white-listed sites, which prevent employees from visiting sites not on the approved list. The purpose here isn’t to stop employees from getting to the sites they want, but to prevent the inadvertent pop-up or spoof site from tricking your employees into thinking they are visiting legitimate sites. Weak Internet Use policies don’t take into account that the mere act of visiting a malicious website could have lasting repercussions – such as virus installations, browser hijacking, and phishing attempts.
Receiving and Opening Email. One of your biggest concerns should be your employees’ interaction with email. Most viruses are spread via email attachments, and unsuspecting users open the document without skepticism. Trojan horses, ransomware, hijackware, and a variety of other nefarious software can infect your entire network in a matter of minutes. That’s why it important to establish email system policies and routinely train your staff on best practices.
Credit Card Payment Security Compliance. There are quite a few other considerations that should be part of your company’s data security policy, but one that should not be overlooked is complying with credit card processing security. PCI DSS (Payment Card Industry Data Security Standard), or PCI, lays out dozens of factors your payment processing system should be following to safeguard your customer’s data. PCI compliance is essential to limit your liability for credit card fraud and gateway intrusions.
At Terkanian Law, we help our clients navigate the often complex subject matter of drafting data security policies. Give us a call and let’s talk about building an effective data security policy for your business.