1. KNOW THE DATA
If you take comfort that you are not a government contractor with details about troop deployment on un-encrypted laptops or a healthcare company with patient information in the Cloud, or if you have relegated “PCI Compliance” to something rote, take notice. Any non-profit, low-tech or other company has likely saved, among the more obvious, benefits information, background check results, payment data, emails, lists of job applicants, vendors, customers, and other non-public personally identifiable information. For a laundry list, check out the risk factors in any 10-K or offering memorandum.
2. MAP THE DATA
On what servers and in which data centers does it sit? How is it routed? Is the company relying on the now-invalidated safe harbor for transfer from the EU to the U.S.? Who is supposed to have access? Through which systems? It is the atypical circumstances that few remember. For instance, does an auditor transmit information out of the country in violation of local rules? Or, when are vendors brought inside the firewall? What about a deal discussion and due diligence?
Continue Reading via Media Link