One of the first places to start is with defining clear policy and procedures for the chain of custody over portable media containing personal information and leveraging available technology solutions to help minimize its exposure. For example, not all employees who travel frequently and require access to personal information need fully functioning laptops. Laptop-style "thin clients" that have no memory are gaining attention where high-speed network connections are commonly found. Network-based backup can also help limit the use of traditional tapes and disks, which have been at the center of many of the vanishing acts leading to breach notifications.

Portable storage devices complicate the issue of data retention as well. Organizations need to balance the benefits associated with keeping personal information against the risks associated with protection. The issue becomes more complex when certain personal information held by an organization is not subject to any regulatory retention requirement or a clear definition of how long it can or should be kept. Organizations should minimize extraneous personal information from portable media, and then implement processes and controls for staying on top of retention limits.

Decode or Not Decode: The Evolving Use of Encryption

Personal information is vulnerable to theft or other loss whether it's considered "at rest" in a computer, a tape or a USB memory device, or "in motion" through an e-mail message. Protection needs to be equally mobile. Encrypting portable devices, media and computer communications (including e-mail messages and attachments) is becoming more prevalent and should become a standard operating procedure in 2008. Organizations that have yet to do so should pilot and implement laptop, e-mail, and portable media encryption solutions for devices and exchanges that involve personal information. Common tools for encrypting e-mail attachments should be provided to business units that routinely handle personal information and made mandatory for transfers to third parties via otherwise unprotected methods.

The Three-Legged Stool: Strict Standards for Vendors and Business Partners

Sharing personal information with vendors and business partners is commonplace and necessary in today's global market environment, though it's not yet common. Even more necessary are effective programs that monitor how privacy is managed once that information leaves the organization.

The most critical questions to ask third party vendors are, What will you do with this information? and How are you protecting it? Leading companies have developed vendor risk management processes that account for privacy—performing due diligence during the selection process, putting controls in place for secure information transfer and making compliance with controls a contractual commitment. What must exist, whether through long-term trust building or binding contract, is a solid base of confidence that the vendor can protect personal information and govern its use.