With authority stemming from a law prohibiting companies from engaging in “unfair or deceptive practices,” the FTC can and has alleged violations of the “deceptive” nature simply when companies fail to follow their own security policies.
In cases where there were breaches and the company hadn’t made claims about data security, the agency used “unfairness,” citing practices that, when taken together “failed to provide reasonable and appropriate security for personal information.” Among these practices were things as “failure to adequately assess the vulnerability of the computer network to commonly known or reasonably foreseeable attacks; ignoring the need to implement simple, low-cost and readily available defenses to such attacks; storing the information in an unencrypted form that could be accessed easily by using a commonly known user ID and password, and not employing sufficient measures to detect unauthorized access.”
So, how do breaches typically occur? The attorneys cite Verizon’s 2013 Data Breach Investigations Report, which found that 52% of data breaches involved hacking into a company’s system by using stolen credentials or brute force. In cases where a network was infiltrated, malware (or spyware) was involved in 40% of the cases and social tactics, such as phishing scams targeting employees, were used in nearly 30% of the security breaches.
To reduce your company’s risk of a data breach and/or being charged by the FTC, Libin and Oxenford recommend taking the following steps:
1. Designate a chief privacy officer (CPO) who is responsible for developing and implementing a data privacy and security program and identifying associated risks.
2. Deploy security defenses that improve data security, such as replacing the default passwords that come with equipment and software the company purchases, requiring employees to have a valid business purpose before accessing sensitive personal information, and only accessing the information from secure computers and devices.
3. Hire a chief information security officer (CISO) to implement the technical aspects of a data-security program. These measures include requiring strong passwords; encrypting information; instituting robust authentication controls; making sure all WiFi networks are password-protected and educating employees about phishing attacks and other signs of malicious activity.
4. Regularly back-up important files on servers and/or with secure cloud services.
5. Include data-security requirements in contracts with third party providers to ensure that they implement sufficient data-security protection practices.
6. Develop a response plan so that the company is ready to act quickly to identify and mitigate the harm of a data breach. Use a risk-assessment matrix to determine data loss and risk of harm to individuals and identify when it’s appropriate to notify consumers, regulators, state attorneys general or consumer protection agencies.
Regularly review and revise the company’s data collection and use policies.
As the experts note, the ounce of prevention involved in implementing these “rules of the road” may save companies many pounds of hurt down the road. With the growing demand for “big data” applications that rely on customers’ personal information, we all have a ton of reasons to consider their advice. I hope these recommendations – and the reasons behind them – serve as a starting point for evaluating the current state of data security precautions at your organization.
(Mary M. Collins is president and CEO of the Media Financial Management Association and its BCCA subsidiary. She can be reached at firstname.lastname@example.org.)