I previously wrote about preparing procedures for responding to a security breach and noted the importance of having a data security policy. In this post I wanted to lay out some guidelines for drafting and implementing such a policy. Numerous versions of data security policies are available for viewing online and examples of policies adopted by governmental agencies, universities and hospitals are generally quite comprehensive and may be too cumbersome for use by smaller companies. There is a general consensus, however, that any data security policy should cover each of the following core topics and issues:
The policy should open with a “Statement of Purpose” that describes why the policy is needed and why the board of directors and senior executives of the company have taken the time and effort to create the policy and invest resources in educating employees about the underlying issues.
The policy should define its intended “scope,” including who and what is covered by the policy. This section should make it clear that the policy applies to employees, contractors and others that the company provides access to its confidential information. The policy should define the “data” which is subject to the policy and the definition should track applicable statutory definitions of “confidential personal information.”
The policy should spell out the responsibilities of all covered persons with respect to handling, storage and protection of confidential personal information. Since one of the primary audiences for the policy are the employees that work with sensitive data it should include rules and examples that track the manner in which the data is used on a day-to-day basis within the company.
The policy should identify who within the company organization has been vested with responsibility for implementing and enforcing the policy and should also spell out the potential sanctions that may be imposed against persons who fail to comply with the policy.
It is not sufficient to merely write a data security policy and post it on the company’s internal web site. A strategy should be put in place for communicating the policy throughout the company organization and making sure that all employees are aware of the policy and receive any necessary training and support. The person or department responsible for implementing and enforcing the policy should also develop procedures for reviewing how well the policy is working and updating the policy as needed to close any gaps in security that are identified or to fix any specific problems that may have led to an actual breach of security. The policy should also be reviewed periodically to make sure that it takes into account changes in technology and data storage practices as well as new laws and regulations and changes in the types of data that the company collects.