Data Protection & Compliance Resources

To help you manage information security and regulatory compliance

Businesses are digital storehouses of confidential and valuable information – client lists, receipts, financial statements, credit information and other confidential business and client records. All are vulnerable to theft and compromise. Identity thieves will dig through dumpsters, or stalk employees waiting to steal a laptop, external hard drive, or tape backup of confidential customer information. To combat theft and data compromise, businesses must safeguard themselves and their clients/patients.

Ask yourself:

• If data is lost, can it be restored, and how quickly?
• If a computer or smartphone escapes control of the company is its information accessible?
• What am I legally obligated to do if data security is breached?
• How do I protect my business and our clients/patients?

Recent privacy laws hold businesses and their management liable for the confidentiality of employees’ and customers’ information:

• HIPAA, the Health Insurance Portability and Accountability Act, holds everyone from doctors to pharmacists accountable for protecting patient records.
• Gramm-Leach-Bliley Act holds financial advisors and institutions responsible for safeguarding customer information.
• State and Federal laws are requiring businesses to take proactive measures to protect customer and employee privacy, and to report breaches when they occur.

Establishing a comprehensive process to secure business and consumer information against threats is as important as a data backup plan that restores lost data. Each year the technology landscape evolves, and more and more data protection laws are enacted and enforced. With the stakes higher than ever, companies must assess risks, implement controls, remove gaps, and regularly update data security processes.

With DriveStrike‘s goal of providing endpoint data and device security, we understand your risks and actively work to provide you with the most timely information and tools to address it. Below is a list of free resources: industry legal requirements, best practices, forms, links to other resources, incident response guides, and industry-specific templates for your data protection planning.

DriveStrike Background:

• DriveStrike White Paper

Mobile Device Use & Wipe Waiver Templates:

Make sure you define and implement company standards for acceptable mobile device use. It is also important that if your employees, contractors, or any other personnel access company data using their mobile device that you have them sign a remote wipe waiver and install a remote wipe solution.

• Mobile Device Acceptable Use Policy Template
• Mobile Device Remote Wipe Waiver Template
• Mobile Device Acceptable Use Training Presentation PDF
• Mobile Device Acceptable Use Training Presentation PowerPoint

Legal Requirements:

• Federal Trade Commission (Red Flag Rule)
• Red Flag How To Guide
• FTC Red Flags Video
• Federal Rules of Civil Procedure
• Health Insurance Portability and Accountability Act (HIPAA)
• HHS Risk Analysis and Risk Management Tool
• Federal Trade Commission Health Breach Notification Rule
• Department of Health Services Breach Notification Rule
• Massachusetts Standards for Personal Information Protection (201 CMR 17.00)
• Gramm-Leach-Bliley Act
• Sarbanes-Oxley Act
• Personal Data Privacy and Security Act of 2009

Privacy & Confidentiality Agreements/Templates

In several industries, regulations require that service providers with access to your data sign a business associate or confidentiality agreement. Even in non-regulated industries, such agreements help protect the technology buyer by documenting the responsibilities and quality standards your service partner employs in handling your data. Remember that if one of your service providers has a security breach you are obligated to notify your clients/patients. You are as strong or as vulnerable as your service providers.

• Business Associate Agreement (Medical/Dental – HIPAA).doc
• Confidentiality Agreement (All Suppliers).doc
• Access & Confidentiality Agreement for Students Employees Volunteers (Medical/Dental).doc
• Computer & Information Usage Agreement (Medical/Dental).doc
• Vendor Data Security and Confidentiality Agreement (Medical/Dental).doc
• Workforce Confidentiality Agreement (Medical, Dental).doc

How-To Guides, Incident Response Resources, & Other Tools

These are excellent resources for learning how to implement a security breach policy, process,and response plan.

• Data Breach Incident Response Workbook by Debix.pdf
• Data Breach Notification Responsibilities by Debix.pdf
• Breach Response Plan by AICPA.pdf
• HIPAA Security GAP Analysis.doc
• HIPAA Privacy GAP Analysis.xls
• HIPAA Business Associate Assessment.xls
• HIPAA EDI GAP Analysis.doc
• DHS Cyber Resilience Review

• National Cybersecurity Assessments and Technical Services Resources

  1. Cyber Hygiene: Vulnerability Scanning
  2. Phishing Campaign Assessment (PCA)
  3. Risk and Vulnerability Assessment (RVA)
  4. Validated Architecture Design Review (VADR)

Other Resources

Here are some links to outside resources and businesses that we respect.

• Microsoft BitLocker Administration & Monitoring VIDEO – Free if you have a Windows Pro License
• Open Source EndPoint Encryption VeraCrypt VIDEO – Free and easy to use
• American Institute of Certified Public Accountants (AICPA)
• Notification Laws (National Council of State Legislators)
• Notification Laws by State Info-Graphic