Privacy & Legal Considerations

Quick reference

• 00:05 Privacy is a huge concern today.
• 00:08 People are concerned about how their information is used, stored and
• 00:11 who has access to their personal data.
• 00:15 How you respond to these concerns will first be dictated by
• 00:18 the laws of your country or region, but also by how your organization chooses
• 00:22 to handle written internal and external communications.
• 00:27 Where are your electronic data servers located?
• 00:30 What are the policies of your service providers?
• 00:33 What laws govern their operations?
• 00:35 How long is sensitive information such as credit card, biometric and
• 00:40 account data kept on file?
• 00:42 How many people have access to this data?
• 00:45 Do any third parties have access to people's personal information?
• 00:49 And do you have consent to share that information?
• 00:53 All these questions are important because people can choose to do business elsewhere
• 00:57 if they don't feel like their information is safe with you.
• 01:01 Privacy and security starts with educating all employees about these threats and
• 01:06 concerns.
• 01:07 Think, for instance,
• 01:09 about the innocent looking reply to all button on your email application.
• 01:13 This button is intended to send your response to all the addresses in the to
• 01:17 and CC fields of an email that you received.
• 01:21 Aside from being generally overused, this is a potential privacy risk.
• 01:26 For instance, someone might reply to a request for
• 01:29 information by attaching a document that has sensitive information,
• 01:33 but they accidentally use the reply to all button.
• 01:36 So, now the document is in the wrong hands.
• 01:39 And this is one of the reasons why employee sensitivity training is so
• 01:42 important.
• 01:44 Part of the employee training on privacy and security,
• 01:47 should be about why the policy is necessary.
• 01:50 That way employees see that extra layer of security not as a nuisance, but
• 01:55 as a means of protecting them too.
• 01:58 They're more likely to cooperate and
• 02:00 become allies instead of thinking of ways to work around the system.
• 02:06 You no doubt know that bad actors often try to get people's personal
• 02:10 information via phishing, where they pretend to be a trusted organization and
• 02:15 then initiate contact, often by email.
• 02:19 What you can do is to make it easier for
• 02:21 your customers to identify these fraudulent attempts by publicizing your
• 02:25 policy of never approaching customers, asking them for this kind of information.
• 02:31 That way your customers can easily reject any such attempt.
• 02:36 What about hardcopy documents like credit card authorization forms,
• 02:41 employee files, faxes even, who has access?
• 02:44 Where are they stored?
• 02:46 And when and how are they destroyed?.
• 02:50 These policies must be documented in a straightforward way so
• 02:53 that any breach of the policy is clear and undeniable.
• 02:58 Each employee must know what's expected of them and what are the company wide and
• 03:03 personal consequences of non-adherence to a strong privacy policy.
• 03:09 The strong company policy on information security shouldn't be limited
• 03:13 to employee training, but it should also be built in to the systems that you use.
• 03:17 Like having password parameters to reduce weak passwords, setting restrictions on
• 03:23 accessing company networks on none password protected mobile devices.
• 03:29 Accessing company networks on public Internet and providing instead
• 03:34 Virtual Private Network or VPN access to employees working remotely.
• 03:40 The organization should also have in place systems for
• 03:44 revision of access when employees roles change so
• 03:47 that sensitive information is only available on a need to know basis.
• 03:51 And people don't try to take advantage of dormant accounts that have high
• 03:56 level access.

Lesson notes are only available for subscribers.