Companies gather lots of personal data about their clients as they grow and become successful. Data that a company collects is an important asset, but it can also be a liability when a data breach happens. After a breach, most states require a business to notify compromised clients.
In many state breach laws, the term “personal information” is often defined as a first and last name (or first initial and last name) with another piece of identification. The other identification piece may be a social security number or an identification card number (e.g. driver’s license, passport, military, or government). Florida law defines “personal information” as “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.”
Evaluating Company Data
A business manager needs to carefully examine its computerized data by performing an assessment. A Data Risk Assessment involves evaluating a company’s data with four criteria:
- Types of Data: Classify confidential data that the law considers as “personal information.” Review data restrictions in contracts, business associate agreements, and privacy policies.
- Uses of Data: Examine where the company stores data (data-at-rest), where data moves (data-in-transit), and how the company uses data (data-in-use).
- Requirements of Data: Review legal responsibilities in state and federal laws, including data breach regulations and online privacy acts.
- Management of Data: Confirm who is responsible for controlling the data, which includes monitoring and securing the flow of information.
When conducting a Data Risk Assessment, consider the promises made to clients and agreements made with other business associates. For example, a company’s privacy policy should include an “opt out” provision when a company shares data with other companies. This means the company should have a procedure in place to ensure it processes and follows each “opt out” request.
A Data Risk Assessment is critical to implementing company policies such as internal controls and data retention schedules. Importantly, the assessment serves as a framework for a company’s cyber due diligence to secure sensitive information.
Alice M. Porch, Esq., CIPP/US, C|EH, Security+
Alice is a member of the Florida Bar, and she focuses on data privacy and cybersecurity compliance. She attended the Warrington College of Business at the University of Florida and earned a Bachelor of Science in Business Administration. After graduating, she earned a Juris Doctor at the Stetson University College of Law. During law school, she served as an Assistant Executive Editor for Stetson Law Review and also as a Staff Editor for Stetson Journal of Advocacy and the Law. She also served as a member of The Florida Bar Journal/News Editorial Board from 2018-2024. She is currently a member of the Florida Bar Cybersecurity and Privacy Law Substantive Law Committee.
