Crafting an Effective Data Security Policy

  • PDF


While the threat of a data breach for businesses cannot be overstated in the 21st century, by educating your employees with a data security specialist serving as a company “point person”, and a well-conceived data security policy, many of the risks may be substantially mitigated.


As our lives and our businesses become more and more connected through information technology, it becomes more and more necessary to understand the risks we are taking with our data when we put it out there on the internet, or even a company’s own internal network. With the risks of improper data security ending up in high profile headlines on a nearly weekly basis, most people now are aware of the potential risk, but fewer people are able to say what steps need to be taken in order to secure your business’s electronic data.

Details of a Data Breach

When it comes to business, data breaches may be separated into two broad categories: customer data breaches and employee data breaches. Most high profile cases of corporate data theft involve customer data, such as credit card numbers or medical information. However, a growing number of cybercrimes involve the theft of employee data.

One recent case involved the hacking of Federal Government employee information. 4.2 million current and former government employee records were alleged to have been stolen. In this case, government employee records were not properly encrypted because the computers and software being used were outdated.

The potential risk is nearly the same whether the data stolen is employee or customer data. Without proper preparation and systems, both electronic and procedural, in place, companies risk is great and varied. Direct damages could include loss of digital assets, business interruptions, extortion, forensic expenses, and PR damages. Secondary damages could include regulatory investigations, penalties and civil fines, legal expenses, and potentially huge settlements for data breaches.

While all companies are at risk of a data breach, hackers are most likely to target businesses that often deal with high volumes of personally identifiable information (PII) or personal health information (PHI), such as social network sites, healthcare, e-commerce businesses, retailers, CPAs, schools, and law firms.

Not only is the risk of being targeted higher for these types of businesses, but the risk for legal exposure is greater due to the type and quantity of information that could be expected to be stolen in a breach. This makes it even more vital for any businesses dealing with either PII or PHI on a regular basis as part of their regular business routine to ensure that their physical, electronic, and procedural security policies and practices are tested and in place.

Preventing Data Breaches

    When data breaches do happen, they are in most cases easily preventable, as is shown by the breakdown of claims scenarios for data breaches:

  • Unintended disclosure-31%
  • Physical loss of paper records-24%
  • Portable devices-13%
  • Hack/Malware-11%
  • Insider-9%
  • Payment card-3%
  • Unknown-2%
  • Stationary device-1%

Combining the first two categories together, we can see that in 55% of all data breaches, the release of data is unintentional or accidental and the thief committing a crime of opportunity rather than a carefully planned digital heist.

This analysis reveals the single most effective way to protect your data. If 55% of incidents stem from internal accidents, then drafting well thought out data security policies and procedures, and continually reinforcing and periodically retraining employees in these policies and procedures can have a massive effect. If a company is able to reduce their accidentally PII and PHI data releases down to zero, they have effectively halved their chance for a high risk data breach.

It cannot be reinforced enough that the best policies and procedures in the world will not be effective if employees ignore or circumvent them. In order to ensure that a business has the proper resources to reinforce and train, it is advisable for a concerned business to hire a security expert to serve as a point person, or to train an existing employee to fill this capacity.

The advantages of having one person oversee data security is that it allows them to view the security of the company as a whole, responsible for every aspect. This allows the point person to identify areas where security is lacking, or where retraining may be needed. On a more basic level having a point person for security means that a business has at least one security specialist on staff, whose job is directly in the interest of the business’s security – not something to be ignored.

What Should be in a Security Policy?

Once a business has committed to crafting a data security policy and ensuring that they are reinforcing these policies and procedures, the natural next question is ‘what should be in this data policy?’

Data Security policies must first make clear to the target audience, most likely a business’s employees, that the policy is a pledge to protect customer data as well as their data. By making it clear that this is not only to protect customers, but also themselves, employees will view security in a more personal light. The policy should spell out the overarching goal of protecting PII and PHI confidentiality.

A good data security policy will also spell out guidelines for proper password use. While a business’s security specialist will be able to help craft this part of the policy to meet the business’s unique circumstances, good rules of thumb include requiring all passwords to be complex (multiple types of characters, minimum length, etc.), requiring passwords to be changed at least every three months, and employees should not ‘leapfrog’ passwords (alternate two passwords back and forth with each change). A company’s IT department will help automate many of these requirements, but the expectation of proper password use should be spelled out here.

The policy should also cover expectations for employee’s use of the internet, employee email, and company laptops/mobile devices. Many employees, without strict guidance, will not consider the risk they are exposing the company’s network to with indiscriminate internet and email usage. By clearly explaining expectations in the data security policy, the company not only increases the chance that employees will adhere to the policy, but it can also legally protect the company in the case that a breach does happen.

In addition, the security policy should clearly define for employees what counts as PII and PHI, as well as other protected data categories (proprietary data, copyrights, etc) should be treated (ie not sent over email or only use encrypted email, etc)

A final, critical element to a data security plan should be the policy that employees are required to report all security incidents. While this may seem like common sense, having this policy in writing, and requiring employees to sign off on it, can help shield a business from some legal liability.

Solutions that can Help

Workforce management / time & attendance solutions Like NOVAtime can help you manage your business’s employees easily, but you need to be sure that the solution you are choosing can properly protect the data you are entering into it. When choosing a workforce management solution or similar type of system, be sure that it provides configurable password rules that allow you to be sure your employees are using good password practices like using strong passwords, changing their password at least every three months, and not ‘leapfrogging’ passwords. Additionally, it can be beneficial to choose a system that works with an SSO option, like Microsoft Active Directory, which will further increase the security of your combined IT systems. Asking any potential cloud hosting system about what security certifications their data centers and system have received is also important. Make sure their datacenters are SSAE 16 Type ii audit certified, and have received some third-party security testing, like the services offered by Plynt.


With Data Breaches, the classic advice of “prepare for the worst and hope for the best” should be taken to heart. While the hope is that a business will never have to deal with a data breach, the fact of the modern world is that for many businesses, the risk is high. But with proper preparation, the correct personnel, and a well written data security policy, businesses can give themselves the resources to never be caught flat footed by a potential disaster.


For additional information, please contact NOVAtime: 877-486-6682 - or - Click here