Common security elements in your company's record management policy

by on July 6, 2009 · 0 Comment POSTED IN: HR Info Center

Multi-level security is a vital part of the record management policy

The most common security element in a record management policy is establishing a written information security program. That is part of the Safeguards Rule and a best practice.

A second common element in record management policy is having management oversight and appropriate training of employees. That also sounds familiar from the Safeguards Rule and also having periodic assessments and updates. Once again, it is part of the Safeguards Rule. So, really going back and looking at the Safeguards Rule will help you identity what the FTC thinks is important. And they’re really good preventative steps as well.

An effective security component to your record management policy is your best and only real defense

It really is not a defense that a hacker or other criminal victimized your company. As you can see from the ChoicePoint example, you really don’t get cut any slack even you are the victim of a very elaborate professional criminal ring

The credit card example is another way of demonstrating that. A card system, who was the processor of payment card data for many of the major credit card companies, had is system hacked. It was a professional job, they managed to get over 40 million credit card numbers. Many of you have probably received notification letters back when this happened that this has occurred.

This resulted in multiple class action both by consumers and by affected merchants. Many of them had been using a state law claim similar to the FTC theory of unfair or deceptive trade practices.

Now, it’s taken a little while for the consumer class actions to get underway in the area of data security and record management policy, in part because you have to prove damages and causation. You have to prove that this identity theft has resulted from this breach.

But we’re starting to see that happen more and more in these cases revolving around the efficacy of a company’s records management policy. And I think that we’re seeing plaintiff counsels are more interested in taking these cases.

Edited remarks from the Rapid Learning Institute webinar: “Identity Theft: What HR Can Do To Protect Sensitive Employee Data” by Christine E. Lyon, Esq.

Leave a Reply


Request a Free Demo

We'd love to show you how this industry-leading training system can help you develop your team. Please fill out this quick form or give us a call at 877-792-2172 to schedule your one-on-one demo with a Rapid Learning Specialist.