Data Security and Information Governance

All business data should be classified into four tiers. Tier 1 — Public: information freely available (property listings, marketing materials, company website content). Tier 2 — Internal: business information shared within the team but not externally (SOPs, meeting notes, pipeline reports). Tier 3 — Confidential: sensitive business data (financial statements, deal terms, pricing strategies, contractor rates). Tier 4 — Restricted: personally identifiable information (SSNs, bank account numbers, tax returns, driver's licenses). Each tier has handling rules: Tier 4 data must be encrypted at rest and in transit, accessed only on a need-to-know basis, and deleted when no longer needed. Tier 3 data requires access controls and secure storage. The workflow for handling restricted data includes: collect only what is necessary, transmit via encrypted channels (never plain email), store in access-controlled systems, and destroy per retention schedule.

Access control ensures that team members can access only the data and systems needed for their role. Implement the principle of least privilege: every user starts with zero access and receives only the specific permissions required for their job function. An acquisitions manager needs CRM access but not accounting system access. A bookkeeper needs accounting access but not marketing platform access. When team members change roles or leave the company, access must be updated or revoked immediately—within 24 hours for departing employees. Use a centralized access management checklist that documents every system, every user, and their access level. Password policies should require minimum 12-character passwords, multi-factor authentication for all business-critical systems, and a password manager for credential storage.

Despite best practices, breaches can occur. A data breach response plan has five phases. Phase 1 — Identification (0-1 hour): detect the breach, determine the scope, and identify what data was compromised. Phase 2 — Containment (1-4 hours): isolate affected systems, change compromised credentials, and prevent further data loss. Phase 3 — Assessment (4-24 hours): determine the full extent of the breach, which individuals are affected, and what regulatory notification requirements apply. Phase 4 — Notification (24-72 hours): notify affected individuals and regulatory authorities as required by state breach notification laws—most states require notification within 30-60 days, but some require notification within 72 hours. Phase 5 — Recovery (1-4 weeks): remediate the vulnerability that caused the breach, implement additional controls, and document lessons learned. Having this plan documented before a breach occurs reduces response time by 50-70%.