Federal Trade Commission Guidance and recent state legislation clearly set forth that reasonable and appropriate data security may depend upon the size and nature of one’s business. However, there are fundamental guidelines that apply across the board.
Collect only what is necessary.
Never collect sensitive personal information that is not reasonably required. Not only is the collection of information “just because” unlawful pursuant to various states’ cybersecurity legislation, the less information a company possesses the easier it is to safeguard. A good place to start minimizing security risks is to limit what is collected, in the first place.
Consumers should always be offered choices. Clearly and conspicuously explain data collection and use practices to consumers up-front.
Companies should retain data only whilst a legitimate business need continues to exist. Federal and state regulatory authorities expect businesses to regularly review the data that they possess and securely dispose of it when it is no longer reasonably required.
Safeguard stored and transmitted information. Implement security measures throughout the data’s lifecycle and only use personal information when it is necessary and appropriate to do so. Using consumer data for unexpected or illegitimate purposes can easily result in a regulatory investigation or enforcement action, particularly in the lead generation industry. Avoid the creation of unnecessary risks.
Keep safety standards in place when data is en route. Implement reasonable security policies.
Guard against brute force attacks. Suspend or disable user credentials after a certain number of unsuccessful login attempts. The implementation of policies to do so after repeated login attempts help to eliminate that risk.
Protect against authentication bypass. Adequately test web applications for known security flaws. Test for common vulnerabilities to improve the security of authentication mechanisms.
Remote access to your network should be secured. If you provide employees, clients or service providers remote access, develop remote access policies and take steps to secure access points.
Secure paper, physical media and devices. Securely store sensitive files.
Always dispose of sensitive data securely. Paperwork or equipment that is no longer reasonably required should be shredded, burned or pulverized to make them unreadable. Utilize available technology to wipe devices that are not in use.
Network security is only as strong as the weakest security on a computer with remote access to it. The FTC has initiated action against companies that failed to ensure that computers with remote access to their networks had appropriate endpoint security. Do not allow third-parties that do not have basic security measures, like firewalls and updated antivirus software, to access information through an online portal. Install antivirus programs on computers that employees use to remotely access the network.
Put sensible access limits in place. Not everyone who might occasionally need to get on your network should have all access privileges. Limit access to what is necessary. The FTC has charged companies with failing to adequately restrict third-party network access. Restrict connections to specified IP addresses or granting temporary, limited access.
Encryption will not adequately protect information if it is not configured properly. The FTC has previously alleged that companies used SSL encryption in their mobile apps, but turned off a critical process known as SSL certificate validation without implementing other compensating security measures.
Companies should also segment networks and monitor who is trying to get in and out. Consider segmentation tools like firewalls to limiting access between network computers and the internet. Other useful safeguards include intrusion detection and prevention tools to monitor your network for malicious activity. Protect particularly sensitive data by housing it in a separate secure place on the network.
Monitor unauthorized activity on your network via the utilization of intrusion detection tools. Reduce risk of a data compromise.
Sensitive personal information should be stored securely and protected during transmission. Utilize strong cryptography to secure confidential material during storage and transmission. The method will depend on the types of information collected, how it is collected and it is processed. Depending upon the nature of your business, some possibilities may include Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption, data-at-rest encryption or an iterative cryptographic hash.
Designated individuals must understand how your company uses sensitive data and be familiar with appropriate situational action.
Control access to data sensibly. Implement proper controls and ensure that only authorized employees with a business need have access to consumers’ personal information.
Access to such information should be restricted to those with a “need to know.” Administrative access should be limited to the employees tasked to do that job. Ensure that employee access to system administrative controls are tailored to job requirements.
Once a legitimate business need to retain sensitive data no longer exists, reasonable steps should be taken to secure and dispose of it.
Secure passwords and authentication should be required.
Solid authentication procedures and password “hygiene” can assist with ensuring that only authorized individuals are able to access personal data. The FTC provides tips when developing data security policies.
Passwords and network security credentials should be unique and complex, and securely stored. Establish policies that prohibit employees from storing administrative passwords in plain text in personal email accounts.
Personnel should be trained on a regular basis to comply with company-wide security policies. Such training should include, without limitation, ongoing monitoring, and reference to carefully developed written policies and information security plans. Training protocols should be documented and also include disciplinary elements.
Use industry-tested and accepted methods for securing data. When considering what technical standards to follow, refer to standard, proprietary forms of encryption. Consider widely-accepted encryption algorithms that have been extensively tested.
Apply sound security practices when developing new products. Early in the development process, think through how customers will likely use product. If users will be storing or sending sensitive information, ensure that your product is capable of handling that data securely. Consider past lessons regarding product development, design, testing and roll-out.
Train your engineers in secure coding. Explain the need to keep security at the forefront and train employees in secure coding practices.
Follow platform guidelines for security, verify that privacy and security features work, and test for common vulnerabilities.
The FTC recommends that companies put procedures in place to keep security current and address vulnerabilities that may arise. If you use third-party software on your networks, or you include third-party software libraries in your applications, apply updates as they are issued. FTC cases offer points to consider in thinking through vulnerability management.
Update and patch third-party software. Heed credible security warnings and move quickly to fix them.
Make sure that service providers implement reasonable security measures. Companies hired to process personal information collected from customers or to develop apps should be fully informed of your security expectations. Take reasonable steps to select providers that are able to implement appropriate security measures and monitor that they are meeting your requirements.
Always insist that appropriate security standards are part of contracts. Utilize contract provisions that required service providers to adopt reasonable security precautions. Liability shifting mechanisms such as warranties and indemnification provisions should be drafted by experienced privacy compliance counsel.
Verify compliance. Build oversight into the service provider selection and development process.
Takeaway: Companies have an obligation to protect data. Understand and assess what data you collect and what security measures need to be implemented. Create and implement a written information security program. Consult with a legal professional about applicable international, federal and state privacy and cybersecurity legislation. Know where your customers reside. Encrypt your data. Prepare an incident response plan. Monitor vendors and marketing partners. Utilize responsible contract provisions. Be transparent and provide consumers with choices regarding their data. Clearly and conspicuously disclose data collection and use practices.
Richard Newman is a privacy and data security lawyer at Hinch Newman LLP.
Informational purposes only. Not legal advice. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777