Responding to data risks in the workplace: Take proper care - WTRF 7 News Sports Weather - Wheeling Steubenville

Responding to data risks in the workplace: Take proper care

Posted: Updated:
Jill McIntyre Jill McIntyre
Eric Whytsell Eric Whytsell
Emily M. Renzelli Emily M. Renzelli

Jill McIntyre is a member in the Jackson Kelly's Charleston office. She is a part of the Industrial, Environmental and Complex Litigation Practice Group and has a broad litigation practice. McIntyre leads the firm's Electronic Discovery Team and follows closely the development of electronic discovery law and principals, along with emerging technologies implicated in the discovery process. She regularly advises clients and colleagues about digital technologies; retaining and discarding electronically stored information; preserving, locating, collecting and producing data involved in litigation and/or government investigations; and engaging in proportional, cost‑effective discovery.

Eric Whytsell is a member of the Jackson Kelly's Government Contracts and Investigations Practice Group who helps clients identify opportunities and resolve problems that arise in connection with selling goods and services to the government. He represents a wide variety of clients — from small businesses to major multinational corporations — in an assortment of industry sectors, including aerospace and defense, higher education, software, IT and other services, electronics, research and development, financial, construction, transportation, health care, biotech and manufacturing.

Emily M. Renzelli is an associate in the Jackson Kelly's Charleston office. Her practice focuses on environmental and energy issues as well as general litigation matters.

As business operations have become increasingly digitized, potential sources of legal liability have multiplied exponentially. Reliance on computers for communications and recordkeeping means more opportunities for even well-meaning employees to put the company at risk through their use (and misuse) of data. In addition to efforts to ensure compliance with defamation laws and criminal statutes concerning pornography, obscenity, harassment and certain gambling activities, companies must now guard against security breaches and other compromise of customer data, violations of intellectual property laws and fraudulent offers. 

As complicated as this effort can be, however, there are basic concepts that savvy businesses should keep in mind when confronting data-based risks. Taken together, they can form the basis of an effective data security and management plan — one that will both minimize the risk of liability and also ensure that the company will be able to effectively and efficiently respond in the event a misstep does occur.


One fundamental way to minimize risk of employee missteps is to establish and maintain confidentiality of data by limiting the number of employees with access to the system or data in question. Proper access controls keep sensitive information away from individuals who do not need to see it in order to perform their duties. 

Such controls also help prevent the unauthorized dissemination of sensitive information by creating accountability among those who are authorized to view or modify the data. In addition, they reduce the number of employee accounts susceptible to attack by intruders attempting to mine for private data.

Successfully controlling employee access depends largely on effectively limiting access to network resources. Not all employees need to see and use every bit of data on a company's network. For example, only human resources personnel and perhaps certain top management will need access to employee-related files. The best way to protect this data from everyone else is to set up the company network so that only certain authorized users may access that content.

Most systems will, at least in part, determine access rights based on passwords. Strong passwords also provide an essential defense against outside intruders. Consequently, companies should train employees how to create and secure passwords and set their systems to reject weak passwords.


Businesses can also minimize risks by properly protecting the data on their systems and making sure it cannot be modified in unexpected ways. A loss of data integrity renders the data less valuable — and potentially even harmful to the company. Within a business, lack of data integrity may result from employee error, intentional tampering (internal or external) or an unforeseen disaster. 

Mitigating the likelihood and impact of such occurrences requires more than access controls within the network. Additional security controls are essential, beginning with firewall protection that restricts data flow between internal and external networks, including but not limited to the Internet. Also key is encryption — the process of transforming data into an unreadable form to prevent unauthorized access and use. In addition to proper levels of encryption, businesses should establish or take advantage of systems that log activity occurring within the network. Such logs allow review that may identify abnormal activity and trigger additional steps to prevent unauthorized access.


Properly caring for a company's data also involves making sure to store it in the right place. Access controls and data integrity only work if you can find what you have protected. However, availability requires more than simply putting the data on the right server and properly restricting access. The company's network must also be physically secure. Key methods of promoting availability include restricting physical access to network servers, establishing off-site storage of critical data, and implementing effective disaster recovery procedures. 

In addition to protecting against intruders and unintentional modification or destruction, effective data availability ensures efficient access and use for corporate and litigation purposes. The business will not only be able to conduct its day-to-day business more efficiently, it will also spend less time and money retrieving, organizing, and reviewing electronic data in the event of litigation or government investigation.

Designing Your Plan

Obviously, every company faces its own unique situation with its own range of data-based risks. One size most definitely does not fit all. However, every data security and management plan should address the concepts of confidentiality, integrity and availability in the context of the company's circumstances. Answering the following questions is a good way to begin the planning process:


  • How will employee access be restricted to information they "need to know"?
  • Can employee access controls be established on a system level?
  • What is the best way to ensure that employees consistently use strong passwords?
  • How should firewall protections be deployed?
  • How will proper level(s) of encryption be determined and applied?
  • Can employee activity on the network be appropriately logged and monitored?
  • How will the company protect the physical security of its servers?
  • How will the company establish and implement off-site and back-up storage protocols?
  • Are there any specific data retrieval considerations presented by the nature of the business?
  • How will the company communicate to employees constraints of use and privacy limitations when using company-owned networks?
  • How will the company audit compliance with its use-of-technology policies?