Electronic information privacy will eventually be one of the criteria on your job performance review.
In fact, it's not just electronic data that you should be concerned about, but all data. If you are an employee or executive at a corporation, association, university or small business, you must realize that protecting organizational data is vital not only to your company's profitability, but to your job security. If it isn't right now, it will be soon.
As a company employee or business leader, it is essential that you clearly understand the relationship between identity theft, data breach and your bottom line. One of the costliest data security mistakes I see executives make is that they initially approach data privacy from the perspective of the company.
They don't recognize the following reality: All privacy is personal. It's not electronic information privacy. It's not physical data privacy. It's personal.
In other words, many people in your organization wonâ??t care about data security, privacy policies, intellectual property protection or data breach until they understand what it has to do with them.
If employees and executives don't care about protecting their own identities (to prevent identity theft), how can you expect them to care about protecting corporate identity (to prevent data breach)? Like the emergency oxygen masks on a de-pressurized airplane, you'd better put your own on first or you'll be worthless to those around you. Protecting yourself first isn't self-centered; it's effective and educational.
Information Privacy Training begins at the human level and expands outwards to the group level. And it is not technical by nature.
This foundation of belief, despite and possibly contrary to the onslaught of information privacy acts, is clearly lacking among C-Level corporate executives. Look at the key findings of the Ponemon Institute/Ounce Labs study, Business Case for Data Protection, which surveyed C-Level executives about information privacy inside of their corporations (emphasis mine):
* 82% of the C-Level executives surveyed said that their organizations had experienced a data breach and many of them are positive they cannot prevent a repeat performance
* 53% of the CEOs surveyed said that the CIO is responsible for data protection, yet only 24% of the other C-Levels would point to the CIO as the one responsible for data protection overall
* 85% of those who are said to be in charge of data protection don't believe that a failure to stop a data breach would impact their job
In other words, C-level executives know that a breach has already happened, are fairly certain it will happen again, know that they are unprepared to stop a recurrence, and yet they can't clearly identify who will be held responsible, nor do they feel that they will be held accountable when the inevitable happens. At this stage, building a Culture of Privacy is mostly bluster, as is electronic information privacy.
According to Ponemon, the average organizational cost of one data breach to a company was almost $6.7 million in 2008. The negative effects on our bottom lines is what will give this topic traction, not any one privacy information act. The question is, how many data breaches can one company sustain, and how many does it take to get them to respond? Information privacy, electronic and otherwise, is vital to your company and in turn, your job security.
Here is a crash course on how to promote information security within your company. The most effective way to build a Culture of Privacy is to break it down into 3 simple steps (most corporations skip the first step, dooming them to failure):
1. Motivate the Individual. Train yourself, your employees and executives on how to protect identity and company information first. Learning the basic principles of privacy at an individual level is a pre-requisite for all subsequent forms of data security, and supplies the necessary motivation to apply the same habits at work.
Each employee needs to overcome their own apathy, ignorance and inaction before they are equipped to protect corporate assets. By making it personal, your executives and employees are acquiring the building blocks necessary to construct a corporate Culture of Privacy. Electronic information privacy training is good for their wellness, and is a means to a safer and more profitable end.
2. Empower the Team. One employee alone does not have the authority or resources to act. By empowering cross-departmental teams (who already understand privacy at a personal level) with the authority and resources to focus on low-hanging security fruit (e.g., laptop computers, document shredding, wireless surfing), you make immediate progress and win crucial organizational buy-in.
In contrast, organizations with a Regime of Privacy tend to force data security into a silo (e.g., "It's the I.T. Department's responsibility" -- see statistics in Part I), never taking into account the vital role played by legal counsel, compliance officers, the CFO, human resources and even facilities maintenance. In a Culture of Privacy, the team is integrated, and the results are more enduring.
3. Lead by Example. There is nothing that undermines a Culture of Privacy faster than an employee or executive team that doesn't practice what they preach. A CEO who surfs unprotected in the airport or refuses to invest in desk-side shredders will send a hypocritical message echoing throughout the corporation: "privacy doesn't really matter, we're just going through the motions."
In the same manner, a CEO who appoints some form of Chief Data Protection Officer but doesn't supply the vision, budget or authority to make it happen, is the same CEO whose data breach catastrophe shows up on the front page of the Wall Street Journal.
For example, once you have learned to properly shred sensitive documents at home, it is much easier to apply a more sophisticated form of shredding at work. Individuals and business leaders who know how to protect themselves from identity theft on a personal level, will be more knowledgeable and prepared to protect their company's electronic information from data breach on a business level.
About John Sileo
About the author: John Sileo became America's leading Identity Theft Speaker & Expert after he lost his business and more than $300,000 to identity theft and data breach. His clients include the Department of Defense, Pfizer and the FDIC. To further bulletproof yourself and your business, visit John's blog at Sileo.com. To book John at your next event, visit www.ThinkLikeaSpy.com.
For web users who would prefer to subscribe to the web feed, click the "Feed" button below.