"Don't put anything in an e-mail that you wouldn't want to see splashed across the front of The New York Times." Today that advice applies to much more than just e-mail. With the proliferation of new digital technologies, anything you text, blog, post on a social network or even store in a smart phone could end up on the evening news or in a court of law.

This expansion of technology is only one of many interwoven trends that make protection of sensitive information belonging to a company and its clients increasingly difficult.

First, the number of places where sensitive information is transferred and stored has increased. Companies formerly processed or stored information in one place, in some cases literally under lock and key. But today, corporations routinely exchange data across digital networks to internal offices as well as to business partners—and to third-party service providers worldwide. As more companies outsource business and information technology functions, such as service centers or back-office applications like payroll or e-mail systems, more and more sensitive information resides at third-party locations.

Second, as information travels and is stored around the world, an increasing number of privacy and data security regulations come into play. For example, personal information transferred outside of the European Union is subject to the EU Data Protection Directive. Even within the United States, various federal and state laws may apply to sensitive information. Federal laws in the financial and health sectors (Gramm-Leach-Bliley Act and Health Insurance Portability Act), as well as several state laws such as those in Massachusetts and Nevada, require companies to comply no matter where the data is processed or stored.

Although the complexities seem overwhelming, corporations can protect themselves by developing and applying a strategy that has the support of senior management and includes input from several key stakeholders, such as security, compliance, sourcing, legal, human resources and risk management, says Gary Warzala, senior vice president, Aon IT Risk Management. The strategy should be based on four general best practices:

1. Limit the amount of sensitive information collected, and the associated access, to only what is actually required to provide a particular product or service.

2. Develop an information classification model as well as policies and procedures for the safe handling of each class of information.

3. Identify where your sensitive information is located—and who handles it—and put appropriate controls in place.

4. Educate your employees and third-party service providers about the value of the information and their responsibilities for protecting it.

The information classification model shouldn't be complicated. You might have three categories: public, internal and confidential. For each class, define how the information is to be handled, and protected. Take into account the life cycle of the information, including when it's collected and how long it should be retained. A good information classification program helps to ensure that information is not improperly disclosed, but also not overly protected.

Working in the Clouds

A growing trend in information technology—cloud computing—is adding still more complexity and risk to information protection. Public, private and hybrid cloud computing models provide Internet-based IT services on demand. These cloud-based services are typically less costly and offer improved service levels. But identifying where your sensitive company or client information is being sent, where it is being stored, who owns it and who is managing it is not always easy. As corporations increasingly outsource business processes and IT systems, it's creating a web of interrelationships that can increase your exposure to information leaks.