Developing a Public Information Policy

by | Apr 21, 2024

A clear and definitive Public Information policy is foundational to a modern business. You want potential customers and clients to know what you have to offer and your qualifications. It’s imperative you draw them in and motivate them to engage further. But you don’t want to share everything publicly. Your competition would love to see you slip up on a social media post or be rude in a Yelp review. And openly sharing the latest office gossip or potential weak points of your business model is a poor practice. So you can see drawing a line between what to share and what not to share can be a tumultuous bit of business.

 

What is a Public Information Policy?

Public Information Policy focuses on how a business manages the information it releases to the public domain. This includes what your front-line employees share over the phone, what gets put in press releases, everything said on social media in the name of your business, and everything on your website. A Public Information Policy outlines what types of information are considered sensitive and should instead be kept either Internal or Confidential.

 

Why is Having a Public Information Policy Important?

Inadvertently disclosing sensitive information publicly can have serious consequences. Social Engineering attacks can utilize publicly listed employee names and email addresses to craft phishing emails. Unprofessional emails can be screen-shotted and shared, damaging a company’s reputation. Disclosing sensitive information, or even simply storing sensitive information incorrectly, can put a company out of compliance. Opening them up to government fines or lawsuits.

Does your company need help developing a Information Security Policy for your company?
InfoSec for Business is here to help. Contact Us today!

How Do I Develop a Public Information Policy?

Awareness of, and a desire to, develop a good Public Information Policy is the first step. If you’re reading this and you’ve made it here, good job! You’re on your way. Second, someone at the company with the knowledge and authority to make policy decisions should be selected. From there information falls into two major categories:
 

What Do You Think is Valuable to Share?

This is your ‘allowed’ public information. That is information that can go on your website, be shared on social media, or be discussed by your secretary or front-line workers with everyone who calls or contacts you.

Here are a few examples that every business should strongly consider sharing:

  • Main Phone Number
  • Main Email Address
  • What Specifically Your Business Does
  • A Portfolio, Menu, or Samples of Your Work
  • Your Company Vision/Mission Statement
  • Operating Hours

Here are a few examples which may or may not be right for your business to share:

  • Owners Names
  • Sales Contact
  • Business History or Owners Story
  • Company Location
  • Company Ethics
  • Source Materials Used
  • Funny Jokes or Industry Information (on Social Media)

What other information do you think would be advantageous for your company to share?

 

What Do You Think is Harmful to Communicate?

This is restricted information that is more fully defined in other policies, either Confidential or Internal. But it’s valuable to list it briefly in the Public Information Policy as restricted. By default, it should not be shared publicly, but sometimes in special cases and with authorization, some details can be shared.

Here are a few examples of information which should probably never be shared:

  • Company Software Versions/Platforms (Internal/Confidential)
  • Company Asset Information (like company vehicle models/license plate numbers) (Internal)
  • Vendor/Customer Lists (Internal)
  • Company Profit and Loss Reports (Internal/Confidential)
  • Employee Pay (Internal, Confidential, or Private)
  • Usernames or Passwords (Internal and Private)
  • Customer Payment Information (Confidential)

Here are some examples of information which may be shared with the proper authorization:

  • Pricing (Internal/Confidential but Shareable)
  • Employee Names (Internal/Confidential but Shareable)
  • Employee Email Addresses (Internal/Confidential but Shareable)
  • Material Costs (Internal/Confidential but Shareable)
  • Employee Benefits (Internal/Confidential but Shareable)
  • Employee Attendance (Vacation or Paternity/Maternity Leave) (Internal/Confidential but Shareable)
  • Company Opinion (Internal/Confidential but Shareable)

Need help navigating Information Security training for your business? At InfoSec for Business we’re ready to partner with you! Reach out today to set up an evaluation meeting!

Where to Go from Here?

Once the information is categorized work can begin disseminating or restricting it immediately. You’ve got to develop a plan to update your website or make a list of guidelines for your front-line staff to begin practicing immediately. For example, if employee phone numbers are now Internal your secretary can no longer give them out to whomever calls. So, “Let me get your number and I’ll have our sales team call you right back” should be the new norm. There will be many processes like these that need to be discussed and developed. Also, you should set up a directive for Internal or Confidential information that can be shared and specifications on who it can be shared with. There’s no point in developing a strong policy if it’s not put into practical application. Take the time to write out the policy and with each point give a good example of practical application. That will help strengthen the policy and may inspire you with additional policy insights.

 

What to do if There’s an Information Breach?

An entire book could be written about best practices for information breaches. But to keep it simple I’ll make a few suggestions.
Verify the breach, possibly using an outside consultant, and positively identify the source.
Immediately mitigate the problem. If the breach was a person you may need to update them on proper communication methodology. If the breach was caused by software, update the system if there’s a patch, or contact the developers.
Determine the severity of the breach and assess the damage. How many people are impacted and what level of information was exposed?
Inform relevant staff of the issue, what you’re doing to contain it, and the potential impact.
Inform the public. Depending on legal requirements and level of impact a public announcement should be made. It always looks better for a business to be honest and upfront about a breach rather than being exposed later on.
Mitigate the damage by resetting passwords, offering credit monitoring services, or offering other resolutions as appropriate.
Improve security through software and policy updates. A breach is troublesome but can be seen as a great opportunity to strengthen your Information Security policies.
Reporting may be required by law in your area. Be sure to comply with local regulations.
Legal counsel should be involved to ensure compliance and advise on potential litigation.

 

Conclusion

Ultimately you know your business and industry best and I hope these suggestions have sparked your imagination and will lead to you developing a robust Public Information Policy. We will continue to update this article with ideas and practical suggestions.