Now that you’ve identified the different types of personal information your company collects, it’s time to identify all the different places where that information might be lurking.

Where does your company store personal information (and other sensitive information) it collects electronically?

Customer information is all stored in our customer database. Our employee information is stored in our HR system. I think that’s it.

What about email?

Huh? I don’t think people would store anything like that in email.

Are you sure? It might be worth running a scan for nine-digit numbers (to identify SSNs) or sixteen-digit numbers (to identify credit card information) to be certain.

Really? That seems like overkill to me.

It might be overkill, depending on your organization. That said, it’s incredibly common to find that personal and other types of sensitive information are stored in numerous systems, applications, and databases across an organization. Before you implement administrative, technical, and physical controls to protect sensitive information, you’ll need to make sure that you have reviewed all of your IT systems and data stores (including off-site and portable storage) to make sure you know all the different places where data is stored.

In addition to electronic data, you’ll also need to identify the different places where sensitive information is stored in hard copy.

Hmm. I think the only sensitive information we store in hard copy are personnel records. Those are in our HR department. Everything else is stored online.

Are you sure? What about customer receipts? Confirmation emails? Packing slips? Accounting reports? Vendor invoices? Again, there’s usually more sensitive information floating around in hard copy than people think.

Make sure you know all the places where your organization stores sensitive information, including personal information. As we said, this is a critical step in the process of ensuring that you comply with the Massachusetts data security rules and any other state, federal, and industry data protection laws and rules that might apply to your company. In addition to preparing your company to conduct a risk assessment (which we’ll cover in our next post), identifying where different types of sensitive information are stored will help the company be ready to respond to any discovery requests from investigative agencies or opposing parties in lawsuits.