Establish policies on how employees should handle and protect personally identifiable information and other sensitive data.  Clearly outline the consequences of violating your business’s cybersecurity policies. In states like Massachusetts follow 201 CMR 17 and implement a WISP (Written Information Security Program)