By Paul Zimmerman, Partner
For businesses, this year should be about devoting resources to more efficiently and securely manage data.
Whether this includes employee files, customer information or business records, the changing regulatory environment increasingly complicates the use, security, and life cycle of data. There are a number of applicable statutory and regulatory schemes that constantly cause changes to this aspect of business, such as compliance deadlines recently effected under HIPAA and HITECH, and other statutes like the Gramm-Leach-Bliley Act.
This is a serious issue because the consequences of not keeping data secure are becoming increasingly severe. The burden on any business that holds any type of protected data (such as protected health information under HIPAA, financial information, credit information, employee data, etc.) is not only to protect that information but to notify the person connected to the data and the appropriate government agency in the event of a data breach. Many states have their own reporting requirements as well.
Another issue when it comes to managing data has to do with becoming involved in litigation and efficiently being able to find the data you need relevant to that litigation. Electronic data poses bigger problems than paper files in this regard. It is also important to prevent the cost of engaging in that litigation from being prohibitive or from threatening the business.
Generally, it is best to eliminate data if you do not need it for business reasons and are not obligated to maintain it, particularly if your data practices are very lax in the way you organize data or manage its lifecycle. Failure to have organized and easily accessible data will make litigation more expensive and more difficult. This can put your business at a disadvantage in achieving the outcome that it wants in litigation.
If you have systems already in place in the way you manage data that assist you in litigation that arises, then the business is going to be better off coming out of the litigation on the back-end. Being prepared usually requires some investment both in terms of money and in devoting resources within the company. It is often a “pay now” or “pay later” proposition. If you pay now, you can control litigation more effectively, have more predictability in its outcome, better plan your budgets, and you can better control the fate of your business—not to mention the possibility of improved operation of your business.
Many helpful tools are available, but that landscape is constantly changing as well. Tools to consider include everything from archiving software to information management software and security software that controls and tracks access to data. An ability to provide an audit trail of who has accessed what data is becoming increasingly important.
What each company needs or doesn’t need varies greatly—it is not a one-size-fits-all situation, and really depends on the type of data held by the business, its business needs, and the regulatory scheme(s) affecting the business. Some companies have huge amounts of data accessed by several people on a daily basis, while it’s not so much of an issue for others. The needs of a medical practice will be be hugely different from that of a contractor. There has to be a multi-disciplinary approach to identifying what the needs of the company are. This will involve IT, the legal department, human resources, the finance department, the business units affected, and probably others (depending on the business). It’s important to have buy-in at the top level of the company to come up with a solution that will be successfully implemented with minimal adverse effect on the company’s operation and hopefully with increased efficiency.
So when it comes to navigating data management and security issues while staying compliant and operating the business, remember that it requires a concerted effort. The alternative can be costly.