How to Comply with Federal and State Data Loss / Privacy / Security Laws

By Julie Ryan

There are several federal laws (and most states have laws in place, too) that are designed to protect the confidential information (or NPI, non-public information) of your employees, clients and vendors.

Most American companies are unaware of these laws, their compliance requirements, and the ramifications when NPI is lost through a data breach.

As with most governmental requirements, compliance is usually the last priority to be addressed and oftentimes results in hefty monetary fines and expensive lawsuits when data is lost or stolen.

So, here’s what companies need to do:

1. Appoint a Security Compliance Officer.

2. Distribute a written “Sensitive and Non-Public Information Policy” that must be approved by the board of directors (or, lacking that, by a committee of senior executives), and provide a copy to all employees.

3. Distribute a written “Identity Theft Prevention Program Policy” that must be approved by the board (or senior committee), and provide a copy to all employees.

4. Offer mandatory “Identity Theft Awareness Training” for all employees — full-time, part-time, seasonal and 1099, at all locations.

5. Have employees sign a “Confidential Information Agreement” specifically pertaining to data loss and protecting sensitive information. Keep these in the employees’ HR files.

6. Have a written “Mitigation Plan for Data Loss.”

7. Make sure all vendors and business associates are in compliance.

The items above may seem overwhelming, so let’s look at the government’s “logic” behind each one.

Security Compliance Officer: There needs to be a person who oversees your company’s “Data Loss / Security Compliance Program” for implementation purposes, making changes when necessary, and to lead the response in the event of a data loss.

Written Sensitive and Non-Public Information Policy: This document needs to be a broad-based policy that affects the whole company. It needs to be understandable and, therefore, easy to follow by all employees. Your policy will set the tone for your organization.

Written ID Theft Prevention Program: Your company needs to have clear methods of protecting confidential information pertaining to employees, clients, and vendors. Your accounting department will have different guidelines than your other departments. All employees need to know how to best protect confidential information in their day-to-day activities.

Employee Identity Theft Training: All employees must attend identity theft awareness training. It’s best to educate the employees about the types of identity theft, how documents and confidential information can be lost or stolen, and what to do to prevent data loss. Your employees will help your company identify the vulnerabilities and contribute solution ideas.

Employee Confidential Information Agreement: Have all employees sign your agreement after they’ve been trained, and place a copy in each employee’s HR file. This document is important to document that your staff has attended the training and received copies of your policies.

Mitigation Plan for Data Loss: Have your plan in place before experiencing a data breach. Your security compliance officer will be leading the response team when a data breach occurs. He or she will be interacting with lawyers, company departments, overseeing the victim notification process, perhaps setting up a call center, working with federal and state regulators and possibly the police, the FBI and the media. A viable plan is essential in managing damages both financial and reputational.

Vendor Compliance: Data that originates at your company is your responsibility, even if a vendor or contractor loses it. Make sure all vendors that handle company confidential information or with service techs on site have their programs in place.

So how do we streamline the process? There are three main ways.

Law firms specializing in privacy and security can help a company with templates of the forms and documents and advise on policy. The cost will be determined by the law firm’s rate and whether or not you put the firm on a retainer.

Consulting firms can also assist with templates of documents and make policy suggestions. They can train employees on identity theft awareness and coordinate a company’s vendor management program. Consulting firm fees will range in cost depending on the number of employees as well as the scope of the project. Some firms will “comp” the compliance program and employee training in exchange for allowing them to offer a voluntary identity theft protection benefit to your employees. Your only cost in this scenario is employee training time.

And of course, you and your staff can implement a program yourselves.

Bottom line: Make sure your company is in compliance with the federal and state data loss / privacy and security laws before a data breach occurs.

Vistage CE Member and entrepreneur Julie Ryan is an inventor, author and speaker whose sold inventions throughout the world via her own companies and licensing agreements with global medical companies. Julie has founded ten successful corporations in various industries including the medical, natural gas, long-term care, advertising and marketing fields. Currently, Julie owns and operates five companies involved in the development, manufacturing, marketing and distribution of a variety of products. Find out more about Julie at
Originally published: Mar 1, 2012

Leave a Reply

Your email address will not be published. Required fields are marked *