IAPP-GDPR Web Banners-300x250-FINAL
DPI16_Banner_300x250 WITH COPY

By Ronald Breaux and Sam Jo

In its 2013 global data breach study, the Ponemon Institute reported that data breaches experienced by U.S. companies continue to be the second most expensive in the world at $188 per record. The study also reported that U.S. companies had the second greatest number of exposed or compromised records per breach at 28,765, resulting in an average total organizational cost of more than $5.4 million per data breach.

A strong security posture and implementation of a comprehensive privacy and data security plan is the single most effective measure that companies can employ to mitigate the significant costs of remediating a data breach. Companies would be wise to consider the following suggestions to create an effective privacy, compliance and data protection plan or to revise an existing plan to account for changing laws, regulatory requirements and technological developments.

An important first step is to understand what type of information is being collected and what requirements applicable laws, regulations and other internal compliance policies impose.

Identify the Types of Information Collected and Processed

Under current U.S. laws and regulations, the following types of commonly collected information require special handling and protection: personally identifiable information; e.g., an individual’s first name or first initial and last name in combination with a specified identifier such as an account number, Social Security number or driver’s license number; cardholder data as defined under the Payment Card Industry Data Security Standard, and protected health information under the federal Health Insurance Portability and Accountability Act.

Survey the Legal and Regulatory Landscape

Once you have identified the types of information you collect, identify the applicable laws and regulations that pertain to that information and implement precautions to ensure compliance with those laws and regulations. Depending on the size of company and the type of data collected, the scope of this survey may range from simply analyzing applicable federal and state laws and regulations to a more detailed and complex analysis of international data protection regimes, industry standards, audit protocols and internal policies related to vendor contracting.

Gather and Examine Internal Policies

Your company may have data retention and destruction policies, privacy policies, data security procedures, data breach notice plans, new hire and other employee training material, computer-use agreements and internal auditing and monitoring processes. All of these materials should be gathered and considered when developing a data security plan.

Assemble Your Information Security Team and Evaluate Risks

As a precursor to developing (or revising) a data security plan, assemble a team of individuals in your organization responsible for ensuring information security, privacy compliance and data protection, as well as a board member and personnel from your legal, IT, human resources and communications/public relations departments.

Once your team is assembled, generate a list of the risks associated with noncompliance with privacy laws, mishandling of personal data and data breaches. The risks may include loss of customers and business, investigative costs, regulatory actions, fines, litigation, disclosure obligations and unfavorable publicity. Once this risk analysis is complete, identify one or more methods for mitigating each risk. Revisit this risk assessment regularly to re-rank the risks as your company’s organizational controls and systems evolve and improve.

Design and Implement Your Solutions

Take a Privacy-by-Design approach to addressing privacy and data security risks when developing your solutions. In other words, consider customer privacy, legal compliance and data protection throughout the data lifecycle; i.e., collection, processing, storage and destruction.

The following is a representative sample of solutions, techniques, procedures and policies that may be relevant to your company in developing and implementing an effective privacy and data protection plan:

  • Develop a System for Monitoring and Tracking Network Access

Implement controls and systems that allow for early detection of network intrusions and the ability to identify the intruders. This can be critical to mitigating breaches or other types of security incidents. Continually coordinate with your IT professionals to ensure that network access is adequately monitored such that suspicious activity on your network can be detected prior to breach.

  • Design Effective Employee Policies and Procedures

Employees can be a common cause of data breaches, data loss and data misappropriation if appropriate safeguards are not instituted and enforced. To mitigate these risks, develop comprehensive policies and procedures that dictate which employees have access to particular data; establish how confidential and proprietary information must be handled; include instructions on reporting impermissible uses or violations of policies related to confidentiality and security, and contain onboarding and exit procedures to protect against information misappropriation upon termination of employment. The effectiveness of a data security plan is critically contingent on employee awareness and compliance with the plan. Companies need to promote employee awareness and preparation through regular training and set expectations within their organizations that privacy and data security are taken seriously.

  • Develop a Breach Response Plan

A critical part of your company’s data security plan is the breach-response plan, which governs how to respond to a suspected or actual breach. An effective breach response plan should identify the leaders of the response team and should be easy to follow and scenario-based. Consider including checklists in the plan to ensure that proper procedures are followed to collect pertinent information related to the breach and promptly secure the premises and systems where the breach occurred in order to prevent additional data loss. Be sure to immediately involve legal counsel in all aspects of an investigation—including communications about the potential breach, remediation efforts and disclosure and reporting—to ensure protection under the attorney-client and work product privileges.

  • Conduct Regular Audits

Regularly measure the effectiveness of your designed solutions, including by revisiting and reevaluating all of the factors that went into developing them. Regular audits should evaluate your information-security practices and whether your company is effectively following those practices, including conducting tests to ensure that employees are properly and consistently implementing the solutions. 

Your company can mitigate the high costs of remediating a data breach by having a strong security posture and incident response plan, assembling a proper team to oversee your privacy and security practices, and having a plan for breach remediation. Companies that have previously designed and implemented—or do not currently have—privacy and security plans need to be mindful of the ever-changing laws and regulations as well as the ever-evolving technological safeguards and threats that need to be accounted for.

While this article provides a general overview of privacy and security plan best practices, the parameters of each organization’s privacy and data protection practices will naturally differ in scope and complexity depending on the nature of the organization, the types of information collected and the regulatory environment in which the organization operates. 

Ronald Breaux is head of the privacy and data security group at Haynes and Boone, LLP, a firm that advises clients on navigating the privacy and data protection legal and regulatory landscapes, assists in evaluating the associated risks and provides counsel in the development and implementation of effective privacy and data security plans.

Sam Jo is an associate in the Intellectual Property Practice Group at Haynes and Boone, LLP, where he focuses on structuring, negotiating and advising clients on a wide range of outsourcing, technology and intellectual property-related transactions, including: information technology and business process outsourcing arrangements (both on the provider and customer side); technology-driven joint ventures and strategic alliances; development, licensing, cloud computing, manufacturing, distribution, and marketing arrangements, and matters related to e-commerce, Internet law, privacy and data protection.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»