After yesterday’s conversation, you should know if your company has designated someone to be responsible for data security and privacy, and if so, who that person (or persons) might be. You should also have an idea of whether the company has a data security and privacy program, and/or what types of policies, procedures, plans, or other company documentation exist.

If you found the person responsible for data security and privacy, and he or she promptly directed you to the company’s comprehensive data security program and it’s been updated in the past year or so, great.

If you managed to excavate a policy or two, some plans, and/or some procedures, check the date to see when they were last updated. If the documents have dates older than 2007, it’s definitely time for a review.

What if there’s no date on the policy?

Here’s a tip: if any of the following terms appear anywhere in the document(s), it’s time for an update:

  • Diskette
  • PalmPilot
  • Netscape
  • PointCast
  • Modem (the dial-up kind)
  • Weblog
  • Zip drive.

Likewise, if any of the following terms are missing, it’s also a sign that your data security policies, procedures, and controls probably aren’t quite up-to-date:

  • Blog
  • USB drive (a/k/a thumb drive, jump drive, memory stick)
  • Smartphone (a/k/a BlackBerry, iPhone)
  • Social networking (a/k/a Twitter, Facebook, Foursquare, etc.)
  • Wireless

As we discussed yesterday, the Massachusetts data security rules require companies to develop, implement, and maintain a comprehensive data security program and designate someone to be responsible for maintaining the program. They also require companies to review the contents and controls detailed in the program annually, or whenever the company changes its business practices in a way that might affect the security of personal information.

Wow. Updating things every year seems really unnecessary.

It’s not quite as bad as it sounds. The rules don’t require you to make changes every year – they only require you to review the program every year to make sure the controls in the program are sufficient to protect personal information.

I guess I just don’t see why the policy can’t be good for three (or four or five) years. Our other corporate policies only get updated every three years.

That’s a good question. The problem with waiting three years to review and update any policies, plans, or procedures that are technology-focused is that technology (and the corresponding security problems that come with the use of technology) evolves much faster than that. If you don’t re-evaluate the potential threats to the security of your company’s information and adjust your data security policies, procedures, and controls to combat those threats, you run the risk of having the company’s systems and/or data compromised.

So take a look at the data security policies, plans, and procedures that make up your company’s data security program. Are they current? Has your company implemented the right procedures and controls to protect personal information? If not, it’s probably time to make sure you know what types of sensitive data you collect and how you handle, use, and store it. We’ll cover those topics in our next few posts.