Classifying information is vital to help protect it from unauthorized disclosure. Typically, inappropriate revelations get detected when personal data is publicized, which can mean litigation involving a corporate authority and the public and loads of negative hype.
Once a sensitive item is discovered, the company is required to determine whether the disclosure of that information is reasonably expected to damage the company or its reputation, or if it would pose a significant competitive threat to the business. If the disclosure is legal, the company has to seek consent from the individual whose information was disclosed.
The new model was devised by Thompson Reuters Trustee and Tax Policy Center to help corporations and the governments do the right thing when sensitive or confidential documents are discovered.
What documents should you protect?
The most sensitive documents that might be difficult to identify and to minimize risk are those that involve legal strategy, labor-relations problems, business contracts or personnel files. While that applies to a wide variety of industries, it does not include sensitive financial documents such as profit and loss statements. Companies need to be alert for legal conflicts in these areas.
People in sensitive positions that might need document protection include customers, suppliers, personnel and even former staff.
However, an account executive who works for a small, locally based business selling online products and services cannot afford to make “the world a better place” by maintaining a wall between business and personal matters. In this case, the firewall is built around protecting an employee’s job.
Customers often become more private and less generous to a company when they learn that they are selling products to a company that has an uncomfortable relationship with its customers, employees and other business partners.
To prevent confidentiality concerns, the best strategy is to prohibit public disclosure of any information related to a company’s business outside the company.
While working on this issue, we were also asked to provide an opinion about whether companies should publicly disclose any information they have discovered about illegal, unethical or discriminatory practices. It is clearly in the interest of a company to do this if they find proof of discrimination or waste.
However, it is often not possible to establish a smoking gun that leads to a whistleblower or other evidence of illegal activity. In those cases, the burden of proof is on the company to establish reasonable cause and warrant disclosure of the information. If a company fails to come to that reasonable conclusion, it may well find itself at the wrong end of a court case where it can be accused of violating the state’s public records act.
Some important documents that need end-to-end security include official documents, contractual agreements, board meeting minutes, strategic analyses, analyst views and suggestions, classified manuals, insurer analyses, franchise contracts, service documents, training courses and materials, M&A information, to name but a few.
Does it matter if something is private?
People have different opinions on the value of confidential information. However, it is widely held that confidential information should never leave the room in which it was created. The risk associated with the loss of that information is considered too high.
Nevertheless, that does not mean that records of a commercial transaction should never be released. For example, people who buy car insurance frequently want to review the terms of their coverage before they sign.
Of course, they cannot do this without the contract in which the details were revealed, and it can certainly lead to claims that the contract was improperly written.
Putting this into practice
Managers need to be aware that every act of disclosure (and non-disclosure) has a consequence, and it may have a financial and reputational cost for the company.
They should also be aware of how sensitive their company’s confidential information is and be mindful of the potential consequences of sharing it with third parties. Companies can proactively reduce the risk of disclosing sensitive information by:
• Installing security measures to reduce the risk of document theft, damage or alteration.
• Developing policies and procedures for securing information.
• Ensuring that employees have a written process for disclosing any information in their possession.
• Creating and using appropriate digital storage solutions, and developing robust network-hardened systems for document management.
• Notifying customers of any security breaches within their company.
• Reminding employees that it is never appropriate to share confidential company information.
• Include a disclosure clause in all contracts that states that a breach of confidentiality may result in sanctions.
In cases where the contract is not open source, incorporate a provision into the agreement that the first disclosure of information related to a commercial transaction should occur within three business days. This ensures that sensitive data will not remain in the hands of the employer, but will be used only in good faith.
Document location management & DRM
Ownership of documents can quickly be lost in a company. If a company has hard copies of documents that are supposed to be archived, the basic document management system might not store those copies. This is a common problem as local government employees or university students fill the gaps for local government or university data collection and archiving.
The task can be overwhelming as staff move around from different offices and temporary facilities. The management team will need a tool that can store the document collections and the different versions and formats of documents.
DRM or similar protection is often needed for such solutions, and there is a need to ensure that the content is not shared among the documents. It is vital to keep records that need to be permanently preserved and cannot be easily downloaded or copied.
Business managers need to incorporate security into the initial architecture design of the management systems for all-new and innovative office buildings. At the same time, these developments should be implemented with the knowledge that an organization can become a target of IT attacks from multiple directions.
The costs involved in developing, operating, maintaining and protecting new technologies should not be underestimated, and employees need to be educated to what is possible and to what can be expected.
Why your organization needs PDF DRM
Every business wants to protect documents, but to do so correctly, they need to understand the requirements of the digital workflows within the organization.
Document DRM solutions are an ideal document security option. The right DRM solution should enable you to set expiry controls when protecting documents, expiring those documents regardless of whether the user is connected to the Internet. This is especially important for employee-owned equipment such as the whiteboards, laptops and tablets that are on loan.
The solution should include time limits on the document to prevent them from disappearing into the virtual ether. For IT managers, this should mean no more IT files disappearing into the wastepaper basket.
Also, the solution must address concerns about disclosure of confidential information or protected information to third parties. A number of solutions provide encryption, but they often come with a ‘black box’ that is more of a black squiggle. All you need is the encryption key to unlock the solution and make the information available to authorized parties. The solution can also offer image and text encryption to protect sensitive information, but the key is not provided.
DRM provides a level of protection that allows you to control the distribution of files and limit access to documents within your organization. It also provides a clear distinction between how information is protected and how it is accessed.
