Health clubs rely on technology to access and manage data used in daily operations, yet accessibility comes with data privacy concerns. A breach of your club’s data can lead to the loss, theft or unplanned release of sensitive information, adding to your costs to respond and potentially harming your reputation and business relationships.
Here are some tips to lessen the likelihood of a data breach:
- Store physical records with personally identifiable or personally sensitive information
in locked receptacles. Limit access to only those who need access to perform their
job functions. - Destroy physical records that no longer have a business use or legal requirement as soon as possible after removal from storage.
- For computer systems access:
- Use strong passwords with eight or more characters and require that users change them regularly to maintain access.
- Avoid writing down passwords.
- Make it a policy that employees do not share their passwords, even with each other.
- Use multi-factor authentication – such as a PIN plus an additional random number series generated by a token after initial login – to allow remote users to log in via a virtual private network.
- Limit employee access to only applications needed to perform their job functions.
- Revoke access privileges and credentials immediately when individuals leave your organization.
- Limit administrative access to only those who need it. Don’t let it be the default setting on all employee workstations.
- Use data safety best practices:
- Make sure your point-of-sale systems are payment card industry compliant and enable point-to-point encryption when processing payments.
- Once processed, do not store payment card information in your POS system.
- Segregate your vital business data, such as personally identifiable or personally sensitive information, on servers that do not directly access the internet.
- Encrypt sensitive data.
- Enable encryption on employee workstations, laptops, etc.
- Do not store vital business data, such as personally identifiable or personally sensitive information, on laptops or other mobile devices.
- Employ appropriate security software, including firewalls and anti-virus applications, and keep it updated.
- Apply operating system security patches as soon as they are released or shortly thereafter, since most malware exploits these vulnerabilities.
- Update operating systems and other software before current versions are no longer supported and no longer receiving security patches.
If you use an IT service or application service provider for your systems, make sure they employ these practices as well. In the event of a breach it is generally the originator of the breached data that is liable under data breach notification laws, not their vendor.
*This loss control information is advisory only. The author assumes no responsibility for management or control of loss control activities. Not all exposures are identified in this article.
Jayson Scott has 13 years of experience as a commercial lines underwriter at The Cincinnati Insurance Company. Since 2014, he has supported Cincinnati’s growing Fitness, Sports & Recreation program, initially as the program’s dedicated specialist and now as national program director. For more information, contact Jay, Jayson_Scott@cinfin.com or 513-603-5885. Please visit www.cinfin.com/fitness-sports for more information.
