Data breaches at government agencies and mega companies lead daily news cycles. Millions of individuals worry about the safety of their personal information. Against this backdrop of insecurity, the Federal Trade Commission recently released Start with Security, A Guide for Business.
This timely Guide features lessons learned from more than 50 law enforcement actions brought by the FTC against businesses. Because the actions were settled, no findings were made by a court. Still, the Guide offers a 10-step checklist as a compliance guide for businesses to follow.
Ten Essential Steps
- “Start with security.” Sensitive information, from data on employment applications to consumer information, pervades most businesses. Security should be part of all decisions the business makes. Minimize the collection or storage of personal information – don’t collect what you don’t need and keep it only as long as necessary.
- “Control access to data sensibly.” If you need and have sensitive data, take steps to secure it. Restrict access to the data to only those that need access and limit administrative access to systems – even if access to data is restricted. If all employees have administrative access and can change restriction protocols, there is not much protection.
- “Require secure passwords and authentication.” Use complex passwords and store passwords securely. Protect against authentication bypass to keep unauthorized persons from coming in the back door.
- “Store sensitive personal information securely and protect it during transmission.” Encrypt and educate employees who do this job on how the business uses sensitive data. Ensure that data is protected as it moves in your system.
- “Segment your network and monitor who’s trying to get in and out.” Consider storing sensitive data in a separate secure place. Know who accesses your systems by using effective intrusion detection tools.
- “Secure remote access to your network.” Network security is only as strong as its weakest link. With a mobile workforce, there are many links. Limit remote access to sensitive data.
- “Apply sound security practices when developing new products.” Follow platform security guidelines and verify that privacy and security features work.
- “Make sure your service providers implement reasonable security measures.” If your business takes appropriate security measures but vendors with access to your systems, premises and sensitive data do not, breaches can occur. You may be responsible if you do not require vendors to follow reasonable standards. Include security standards as part of a written contract with vendors, and verify vendor compliance.
- “Put procedures in place to keep your security current and address vulnerabilities that may arise.” Security is a continuous process. Things change. Keep up with 3rd-party software updates. Heed warnings and address them.
- “Secure paper, physical media and devices.” Establish procedures to safeguard paper copies as well as devices that can access sensitive data. Many breaches occur through the loss of a laptop or mobile device. Properly dispose of paper and data on devices.
Protect your business without delay
Reviewing security protocols against the 10-step checklist and documenting your analysis helps protect your business from legal claims if a breach occurs, according to the FTC. The documentation should provide evidence that your business was not negligent. This review also may reveal vulnerable areas to address so sensitive information remains secure.
Small and large businesses, as well as non-profit and professional organizations, should initiate internal reviews of data security protocols. If there is no security plan in place or vendor contracts do not adequately address your data security expectations, consider engaging an attorney with this expertise.