By: Michael P. Sawicki, Esq.
For most companies that deal with confidential information like financial information, proprietary business plans, personal data, health information, or credit card processing, data security should be a top priority. The added complexity of cloud services and flexible work environments have altered how and where your employees connect to the office and where your company’s data resides. It is more important than ever that you protect your digital information from unauthorized access, corruption, or theft throughout its entire lifecycle.
A data security policy describes how a business handles confidential information and personal data. Its primary function is to protect the data and create transparency for the consumer and employees about how their data is processed, protected, and shared. A data security policy regulates the usage, management, and monitoring of data in an organization. Its primary goal is to protect all data used, managed, and stored by a company. Data security policies are typically not required by law, but can help organizations comply with data protection standards and regulations.
Types of data security include hardware security, software security, and legal security. Organizations are legally obliged to protect customer and user data from being lost or stolen or being compromised. Data security is also crucial to preventing the reputational risk to an organization that accompanies a data breach. Legal security can mitigate risk to the company in the event of a data breach.
The Maryland Personal Information Protection Act (MPIPA) was enacted to ensure that Maryland consumers’ personal identifying information is reasonably protected, and if it is compromised, they are notified so that they can take steps to protect themselves. Maryland data privacy laws specifically define what counts as personal information. This includes a Maryland resident’s first and last name or their initials. However, this information must be in combination with one or more of the following:
· Official ID numbers (e.g., Social Security, passport, driver’s license, or tax identification numbers);
· Financial numbers (e.g., account, credit card, or debit card numbers);
· Personal health information, such as details of health insurance policies;
· Biometric data; and
· Genetic information.
If there is a security breach, businesses are required to conduct a prompt investigation into the breach and inform affected consumers within 45 days of the breach. Notices must be made to consumers in writing. Any notice must urge the consumer to change his/her passwords and security questions and must detail all compromised information, provide the business’s contact information, and include a statement that informs consumers how they can get advice on preventing identity theft via the Federal Trade Commission and Office of the Attorney General.
Compliance under MPIPA consists of organizations implementing a reasonable level of security to protect personal information. This requires creating, adopting, and maintaining a written security policy. It also requires businesses to take reasonable steps to prevent unauthorized access to personal information.
If you would like to get more information on the creation of a data security policy and speak to an attorney about your needs, please contact Batoff Associates, P.A. at 410-864-6211.
Comments