Regulations on protection of confidential information
The formal requirements of the law on the protection of trade secrets require the issuance of an internal regulation in the company governing what information belongs to the protected and how protection measures are implemented. Without the development of such a provision, it is unlikely to solve the problem of bringing the culprit to justice for data leakage.
Necessity of position
Information protection regulation - a document that describes all aspects of working with confidential information. It is possible to make a clause about liability for disclosing commercial secrets in labor contracts, but this rule will not work if you do not explain why the data is classified as a commercial secret, on the basis of which regulations they cannot be disclosed, and what is meant by disclosure.
The internal regulation of the organization is adopted at the top management level and approved by the executive body. Particular attention should be paid to a clear description of information related to confidential. The Law "On Commercial Secrets" names a list of data that cannot be recognized as such: from constituent documents to balances. But in practice, the list includes all categories of data that have a business nature, regardless of their actual value or attribution to the public. This complicates the work of all services that are obliged to track access to confidential resources, since all company files begin to refer to them, and real data protection becomes impossible. A short list with a ranking according to the degree of security is required. After the approval of the regulation, it is necessary to familiarize the employees of the organization with the condition of signing in the accounting logs.
When developing a document, it is necessary to pay attention to the sections that describe the need to protect confidential information for employees:
- determination of information to be protected. The more specific the data will be described, the less difficulties will arise when working in project teams or remotely, when any letter to a counterparty containing numbers or business concepts may be considered a violation of the regulation;
- data disclosure concept. Some organizations, disregarding the requirements of the law, under the disclosure mean the transmission of data by e-mail, company counterparties or work with them on a personal device. Although even in the case of uploading data to the cloud storage to work with them remotely, the law will not see disclosure. Such situations should be regulated not within the framework of trade secrets, but within the framework of the company's internal instructions for working with data, the violation of which entails disciplinary liability;
- applied means of information protection. Often, the mention of the presence of software tools that control the work with data is stronger than the threat of liability;
- labeling requirements for data containing trade secrets. For paper media, privacy labels must exist, files or folders need to be labeled.
The statement on the protection of confidential information is not required to be posted in the public domain. Employees get acquainted with him against signature. Its careful study will help to remove many issues related to information leaks.