Kroll Cyber Security Blog – A Dialogue on Data Security

In last week’s post, we discussed why a company should have a security policy that addresses protecting the personal identifying information (PII) of customers and employees alike.  But information security policies are only as good as their execution by employees and administrators. Implementation of the information security policy, like all new ideas in group settings, requires buy-in by those who will participate – without it, the policy is mere words without deeds.

On Monday, MA 201 CMR 17.00, which protects personal information collected from consumers, will take effect in Massachusetts. The new rules are meant to ensure the security and confidentiality of personal information, to protect against anticipated threats to the security or integrity of such information, and to safeguard against unauthorized access to and use of personal information in a manner that creates a substantial risk of identity theft or fraud.

Businesses shoulder something of a “double burden” when protecting sensitive information. They must protect the company’s Unique Business Identifiers (UBI), as well as the Personal Identifying Information (PII) of individuals such as employees, customers, students, and other stakeholders. Protecting UBI preserves the company’s ability to thrive and reduces the likelihood that it will be exploited for financial gain. Protecting PII from the threat of unauthorized use is also vital to the company’s livelihood.