One question has always puzzled me. How do you decide what information is confidential, sensitive and critical to your business? Sometimes it might be very obvious, like employee or customer/patient PII (personally identifiable information). Other times it may not be. Is a memo announcing a new product or service confidential or business critical? It may be until you announce it publicly, but after that, it doesn’t matter.
The confidential nature of some information is time sensitive, such as earnings reports. Everyone puts out press releases saying that on such and such a date we will announce our quarterly earnings. Memos and spreadsheets fly around inside the organization and finance crunches the numbers prior to the big announcement. Once the CFO and CEO announce earnings, the information is public. So what about all those internal memos and spreadsheets?
If any of that information gets outside of the company prior to the announcement, it could have devastating effects. The company, its officers, board members, auditors and others could be brought up on charges of insider trading or violating other SEC and regulatory rules. So clearly there is time associated with the confidentiality of this information. If the information in the internal documents is all made public during the announcement, those documents are no longer sensitive.
If I have 3 drafts of a new customer program or offer, those drafts may be confidential while I am developing the program. In fact, it’s likely they are business critical, because the new program may give me a leg up on the competition. Once I announce the program and put it in place, the 3 drafts and the final document are no longer confidential. In fact, it may be critical that all the information in the document is made available to my customers. At this point I want everyone to know about my great new offer.
Other information is clearly not time sensitive, such as a customer’s credit card information or an employee’s PII. That information is always confidential and must be protected. In this case, it’s also important that only certain people have access to this information. While it may be fine to let everyone inside your business know about the new upcoming product, it’s not okay to let everyone know everyone else’s social security number.
Deciding what is confidential and business critical requires more than just looking at the information once. You need to decide how long something remains confidential. PII is always confidential. Business contracts are confidential until both parties decide to disclose them. Price lists are confidential until the next one comes out. Product design information may be confidential or may not be, depending on how you do business. If you are writing open source software, that is most likely not confidential.
Deciding what is confidential, for how long and to whom, requires some thinking. Once defined you can use technology and some rules to assist you with managing that information. Just because it’s confidential and business critical today, doesn’t mean it is next year.
How do you plan to handle this? Take a look at how you can control how long a document remains confidential.
Photo credit Search Engine People Blog