Is That Data Really Necessary?

Data privacy consultant Bob Siegel says he asks clients to consider, “Do you really need the data that you’re asking for.”

“You can’t lose data that you don’t have,” the Westborough resident says.

Next Monday, Jan. 28, Siegel’s firm Westborough firm Privacy Ref will participate in Data Privacy Day, an international event that “commemorates the 1981 signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection,” according to a Privacy Ref press release. The National Cyber Security Alliance coordinates and leads the effort, the release notes.

“It’s really focused on bringing awareness about privacy issues to individuals, but also to businesses, to give them an opportunity to bring awareness to their employees about what they need to do to protect their customers’ information,” Siegel told Westborough Patch recently.

Siegel will hold a webinar, “Kick-Starting a Privacy Program,” that day.

The session will offer “10 steps that a business can take to get started with their privacy program,” drawn from his experience, he says.

The webinar will be supplemented by an article with the same title and published by the Association of Privacy Professionals that day.

The webinar is part of Privacy Ref’s role as a Data Privacy Day champion, which involves providing “educational information to support the 2013 Data Privacy Day theme, Respecting Privacy, Safeguarding Data and Enabling Trust,” promoting data privacy for small and mid-sized businesses through a number of different outlets, including a webinar, social media, blogs, a radio show appearance, and more,” the press release notes.

Siegel said he sees “very high awareness” of the need for data privacy in the health care and financial industries,  “because of the regulations.”

Companies such as TJX and Staples “have large departments that work on privacy,” he added.

But a study showed that among small and midsize businesses, which he defined as having “up to 1,500 employees,” that “70 percent of the business owners didn’t realize they had regulatory obligations to protect personal information,” Siegel said.

Massachusetts has  “one of the most prescriptive privacy laws in the country (201 CMR 17.00), but not everyone has stepped up to comply with it,” he said.

“Businesses are starting to see revenue impacts because they’re not complying with that law here in Massachusetts,” said Siegel, who founded Privacy Ref last July.

“Particularly B2B companies” are in this situation, he said.

“I’m working with one customer who sells to other businesses and they’ve been asked for their documentation, it’s called the Written Information Security Program, to show that they’re compliant, from a few of their customers,” Siegel said.

“They didn’t have one. So the customers have given them a deadline and said, ‘Put one in by this date, or we’re going to have to look for another vendor.’”

Siegel said that “most of the data loss that we’re seeing is from employees trying to do the right thing but some mistakes get made. For example, you’ll see a backup tape that is being transferred from one facility to another, and it gets left on a train.”

“That’s what happened with TD Bank several weeks ago. They lost over 200,000 records for employees up and down the East Coast. The data wasn’t encrypted, wasn’t protected at all. And that’s how the data got lost,” he said.