Best Practices: Preventing a Data Breach

This is part one of a three part series from Brandie N. Weddle and Laura J. Butte of Arnold & Porter LLP on the prevention, mitigation and response to a data breach.

Businesses collect personal information for business purposes, including receipt of credit card information to complete a purchase or even social security numbers to process a credit application.  For a number of reasons unrelated to business purposes, including inertia, businesses maintain personal information longer than necessary.

A first step at prevention is to implement a data retention policy that ensures sensitive data is destroyed after it has outlived the business purpose for which it was initially collected.

A second step is to limit who within the company has access to the data and to run background checks on persons for whom access is required.  Although insider data breaches may not garner the legislative attention of some of the more recent data breaches, data breaches are often carried out by business insiders.

Finally, depending on the technical sophistication of the business and its exposure risk, businesses should consider introducing state of the art protections on access to sensitive data, including encryption technology, at the earliest point of receipt and throughout the chain of use.