Text Size   Decrease Font SizeIncrease Font Size

A Valuable Lesson From the OPM Breach

PDF Print
Privacy, Data Protection and Security
Thursday, 03 December 2015 20:56

By: Arthur M. Freyre

National Journal recently posted an article titled, “OPM Just Now Figured Out How Much Data It Owns”. The article states that the months after its system was breached, the Office of Personnel Management was able to conduct an inventory of the information that the agency had in its network. Although, it is easy to say that this is an example of a bad management, the fact is that many companies do not know what information they have stored in their computers, or even the content of the stored information.

Instead of waiting until after the damage of a data breach has been done, companies should begin the process of assessing the data that they have stored in their systems and start keeping an up-to-date inventory of such information.  Assessing the data includes reviewing the following items:

  • The network;
  • The information stored; and,
  • The access to the information.

Assessing the network includes not only your current system, but also any old computers and/or external hard drives that your company may have in storage. If your company has old computers in storage, it is important to see what information is stored in those systems. You may be surprised to find what may be sitting on those hard drives.

Assessing the information stored focuses on the content of the information and the purpose of the information. The content of the information may be considered to be personal identifiable information that is considered to be the subject of data protection statutes. If the information is considered personal identifiable information, then you are under an obligation to provide measures to protect that information. Your obligation to protect that information depends on the state that your business is incorporated.

Besides reviewing the content of the information, you must also review the purpose of the information. The purpose of the information answers the questions, “Why do I need this information?” and “How long do I need this information saved?” 

Finally, the issue of accessing the information focuses on the question of “Who needs to have access to this information?” If the information is of a personal nature, then access to that information must be limited. Another question to consider is “How much information should that person have access to?”  In other words, “How much access would that person need to complete their work?”

Suppose you own an accounting office. The executive assistant may need a client’s name and address because that person is mailing something. On the other hand, the accountant working on a matter for that client may need access to said client’s financial information, in addition to the client’s name and address. The access is dependent on the employee’s role.  

Assessing your network, the content of the information, and who has access is a crucial step in developing a data privacy policy.  Answering those questions allows you to implement and develop a data privacy policy that addresses your corporate needs, instead of having a one size fits all approach.

Please do not hesitate to contact us to discuss how we can help you assess your data security needs as well as implement a data privacy policy that fits your corporate needs.


Social Media

Twitter2Facebook2LinkedIn2 YouTube Icon 

Newsletter Sign-Up

Fill out my online form.


Recent News

Mr. Tomeu Vadell, American Hostage in Venezuela for Two Years

Mr. Tomeu Vadell, American Hostage in Venezuela for Two Years Joint Statement by Mr. Vadells’ Counsel Two years ago a few days ... [More]

UPDATE 25- On Fourth Anniversary of Nizar Zakka's Abduction

Open Letter from Nizar Zakka, Former Iran Hostage, On the Fourth Anniversary of his Abduction On this day four years ago, k... [More]

©2018 PobleteTamargo LLP
Attorney Website by The Modern Firm