The rules that govern information privacy and security are changing quickly. Every company, no matter its size, should review the personal information it handles. This includes the data it collects, maintains, stores, uses, shares and transfers.
The U.S. does not have a single, comprehensive law that governs how a company can handle personal information (the meaning of personal information may vary by situation and location). Instead, it has information protection laws for some industries, such as the financial and health care sectors. Companies outside of these regulatory sectors must keep up with a growing body of state laws on the proper handling of personal information.
Take Alabama’s data breach notification law, for example. If a company handles certain personal information about Alabama residents, it must employ reasonable measures to protect the information against a security breach. These include considering naming an employee to oversee the company’s security measures and requiring service providers, through a contract, to also employ proper safeguards. If a company handles similar information about California residents, it may be subject to more burdensome legal duties under that state’s privacy law. California law grants its residents, among other things, the right to know what personal information a company handles about them and the ability to make sure the information is erased.
All fifty states now have some rules on how their residents’ personal information can be handled. These regulations vary and are added to often. A company that handles personal information, whether from one or multiple states, should conduct an inventory of the information it handles to adapt to this shifting legal landscape. An information inventory detects:
- The personal information a company collects
- Why and how the company handles it
- Whom it is shared with
- How it is stored and deleted
- What security measures are employed throughout the information’s lifecycle
Once the inventory is complete, the company can find and assess the changing risks (legal, financial and reputational) associated with the personal information and respond.