The FTC has settled 54 data security law enforcement actions and that number will surely rise in the coming years. What does this mean to your business? According to the FTC, “your company’s data security measures should be reasonable and appropriate in light of the sensitivity and amount of consumer information you have, the size and complexity of your business, and the availability and cost of tools to improve security and reduce vulnerabilities.”
Hopefully you have strong data security practices in place; however, if you have not evaluated or re-evaluated your data security practices in the last few years here are some things to consider:
- Do you know what personal information your company collects, where it resides in your business and how it moves through your business?
- Do you have a written plan addressing physical and electronic security to prevent unauthorized access?
- How will you monitor the effectiveness of your plan?
- If there is a breach, do you have a plan in place to deal with it?
- Have you identified the risks to the security, confidentiality, and integrity of the personal information that your business has?
- Have you segmented your network to limit access between computers, limited network access from the internet and wireless access points and do you keep your security software patched and up to date?
What kind of measures have you put in place to limit employee access to confidential information?
- Do you change default user IDs and passwords and also require that passwords are updated regularly?
Are your password requirements complex and do you block accounts if someone uses incorrect credentials repeatedly?
- Have you considered two-factor authentication for remote access to sensitive data?
- Do you restrict third party access to your network?
- Have you trained all of your employees about the importance of protecting sensitive and confidential data?
What steps have you taken to ensure service providers protect personal information?
- Do you keep sensitive information like social security numbers in clear, readable text?
- Do you encrypt messages when sending user credentials or other sensitive information?
- How do you securely dispose of sensitive data when it is no longer needed for business reasons?
You may be good at protecting your customer’s property, but how well do you protect their personal information? Data security is not a simple task that you can check off your list and move on. Protecting the sensitive information that your company collects and has access to must be a top priority and part of an ongoing focus at all levels of your business.
For more information on this topic, I recommend that you visit the Member Only Resource Center (member login is required) of www.ESAweb.org. There you will find a document from the Federal Trade Commission called , Start with Security: A Guide for Business. The guide summarizes 10 common-sense lessons learned from the data security settlements mentioned above that you can quickly download. You will also find additional resources including, Best Practices for Keeping Your Home Network Secure, which the NSA developed as well as theDepartment of Defense Cyber Strategy, which was published in April of this year.
If you are not an ESA Member and would like to access to the information contact the Member Services Center to join.