An article in the Wall Street Journal last week discussed the growing need for businesses to consider insurance coverage for cyberattacks. I attach that article if you missed it. However, the first insurance against such attacks is remembering to address security to start with.
This last summer the Federal Trade Commission published a series of blog posts using hypothetical examples based on lessons from closed investigations addressing security of data, including a guide for businesses https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business
Learning about alleged lapses that led to law enforcement can help your company improve its security practices. Since the FTC has stated that most of the alleged practices in those enforcement actions involved basic, fundamental security missteps they can be helpful to know what your company should be doing at a minimum.
The FTC articulated 10 lessons to learn that touch on vulnerabilities that could affect any company. The blogs and guides go further to provide some with practical guidance on how to reduce the risks associated with the collection, use, sharing and retention of data.
- Start with security
- Control access to data sensibly
- Require secure passwords and authentication
- Store sensitive personal information securely and protect it during transmission
- Segment your network and monitor who’s trying to get in and out
- Secure remote access to your network
- Apply sound security practices when developing new products
- Make sure your service providers implement reasonable security measures
- Put procedures in place to keep your security current and address vulnerabilities that may arise
- Secure paper, physical media, and devices
The emphasis was that businesses should know what personal information they have in both their physical file cabinets as well as computers and to remember that cloud storage does not negate culpability. It is equally as important to conduct due diligence on your service providers and have contractual remedies for breaches of contract and breaches of data if possible. To mitigate risk, a strong recommendation is to only collect and keep only what you need, adequately protect the information kept, and properly dispose of information which is no longer needed. Finally, don’t forget to create a plan to respond to security incidents.
There are regulatory statements contained in the settlement of in enforcement actions and FTC guides to help businesses know what should be done at a minimum to sufficiently protect data and by doing so actively mitigate risk. If you wish to discuss those requirements feel free to reach out.
Finally, if you obtain data from any end users within the EU, new regulations going into effect in May 2018 will affect a number of business practices so be in touch if you are either actively seeking Eu residents or even if you simply find yourself receiving orders from EU residents I will write more on that in the next few weeks. – Lisa Dubrow