Legal Brief: Communication Is Key to Security Compliance

Posted by Justine Young Gottshall on January 19, 2007

When it comes to compliance, IT departments that don't communicate with other business units are doomed to failure. Consider the following situation, which I've seen happen several times:

Marketing Division A asks IT for the e-mail addresses of customers who've shown interest in a product by registering on the company Web site. IT complies, and Division A launches an e-mail marketing campaign. Problem is, the Web site is run by Division B, which had posted a statement on the registration page promising e-mail addresses would never be shared. The result: an unintentional privacy violation.

Clearly, someone needs to be looking at the big privacy and security compliance picture.

IT has a role to play in three major components to privacy and security compliance: corporate policies, assessment and implementation, and training. But IT also must accept the roles other divisions will play in areas typically within its domain.

» CORPORATE POLICIES: Do not underestimate the importance of written policies addressing data-protection issues. Security policies, HR policies, privacy policies for internal and customer data, document-disposal policies, security breach policies--all are necessary as part of corporatewide training programs and to establish compliance baselines. They'll also prove essential in defending your company should it be accused of a legal violation. Collaborate with other divisions, such as HR, to create policies that govern IT functions that touch on security and compliance, such as disclosure of employee monitoring.