Data Protection Act, the Sarbanes-Oxley Act, the HIPAA and other extant legislations lay down a number of mandates with regard to data protection; sharing and use. Very little is said about what you need to do if your enterprise is merged with another or you decide to close your business. But, you are expected to use your common sense and ensure that your acts do not compromise the safety and security of sensitive information that your enterprise may possess.
So, where do we begin? We being by inventorying the different types of digital assets we possess and understanding their nature.
- Businesses may have email accounts. The emails may contain important business communication and contact information about your customers, employees, suppliers, partners and contractors. The information is categorized as “sensitive” by the different legal mandates. It can be disposed off only in accordance with the methods prescribed by the different legislations.
- The business may possess a number of important documents, presentations, and files containing intellectual property. These are not “sensitive” digital assets in the sense that it is used in the legal mandates, but they are valuable assets of the business.
- The business may have databases that are backed up into online repositories or offline media. These files may contain customer information or business information and may or may not be “sensitive” information.
- The business may own a website, domain names and other kinds of outreach programs in social media sites and they have a definite value to the organization even if they are not “sensitive information”.
It appears from the above discussion that digital assets belonging to the business basically fall into two categories – information that can be categorized as “sensitive and valuable information” and “valuable information”. This gives us some clarity. We know that most legal mandates have specific provisions for how we should deal with sensitive information.
In the event the company is being merged with another entity, we are bound by legislations to communicate with each one of our customers, employees, suppliers, contractors and partners and inform them about the change that is going to be effected in data controls. We need to obtain their consent, explicitly or implicitly before we can actually transfer the data we control to the new business entity that is being formed. Failure to do so could attract the penal provisions under the different legislations.
If we are closing down our business and the data will be of no use to us, it must be destroyed completely as part of the closure. The data must be removed from backups or tapes or any other media on which it has been stored unless, the data needs to be retained for verification and evaluation under different Acts for specified periods of time. In that event, the data must be completely deleted once the requirements have been fulfilled and the data is no longer required.