Managing Sensitive Personal Data Collected And Used By Businesses: Privacy/Data Security Principles To Reduce The Risk Of Data Compromise
The Federal Trade Commission (FTC) in its recent publication “Start with Security: A Guide for Business” (Guide) noted that from personal data on employment applications to network files with customers’ credit card numbers and social security numbers, sensitive information pervades every part of many businesses. The result is that many businesses are simply overwhelmed by the task of managing such “sensitive information.”
While every industry may be subject to its own respective regulator and corresponding industry specific rules and regulations, the FTC (the federal agency that is empowered to bring lawsuits against private companies for insufficient data security practices under the unfairness prong of Section 5 of the FTC Act) in its Guide suggests that starting with security and consciously factoring it into all business decision making (personnel, sales, accounting, legal, information technology, etc.) can help any business begin the process of managing the sensitive information collected and under its control and, in turn, significantly reduce the risk of a data compromise.
To assist businesses in this endeavor, the FTC suggests all businesses consider the following privacy/data security principles (where applicable to a given business):
- Consider Security In All Business Decision Making.
- Control Access To Data Sensibly.
- Require Secure Passwords And Authentication.
- Store Sensitive Personal Information Securely And Protect It During Transmission.
- Segment Networks And Monitor Who’s Trying To Get In And Out.
- Secure Remote Access To Networks.
- Apply Sound Security Practices When Developing New Products.
- Make Sure Service Providers Implement Reasonable Security Measures.
- Put Procedures In Place To Keep Security Current And Address Vulnerabilities That May Arise.
- Secure Paper, Physical Media And Devices.
Consider Security In All Business Decision Making.
- Don’t collect personal information that is not needed. Reassess whether the business needs the sensitive information it currently requests from customers and others. Remember information cannot be stolen or misplaced if it is never collected. Many risks can be avoided simply by not collecting sensitive information in the first place.
- Hold on to information only as long as there is a legitimate business need. Reassess how long the business needs to keep the sensitive information it currently retains. Update and/or establish appropriate record retention policies for sensitive information and follow the policies. Many risks can be avoided by securely disposing of sensitive information once it is no longer needed.
- Don’t use personal information when it is not necessary. Review how the business currently uses the sensitive information it retains. Avoid using sensitive information in contexts that create unnecessary risks. For example, in training or development exercises, use fictitious (“dummy”) information instead of actual sensitive information.
Control Access To Data Sensibly.
- Restrict access to sensitive data. Implement proper controls to ensure that only authorized employees can access sensitive information. If a particular employee’s job duties do not require access to sensitive information, there is no need for the employee to have access to sensitive information.
- Limit administrative access. Limit administrative access, which allows a user to make system-wide changes to the business system (including the power to reset passwords and restrict/grant access to the business network), only to employees tasked to administer the network. Many risks can be avoided by tailoring employee administrative access to job needs.
Require Secure Passwords And Authentication.
- Insist on complex and unique passwords. Hackers commonly use password guessing tools or passwords stolen from other services in the hope that employees will use the same password to access the business’ system. Require employees to choose complex passwords and train employees not to use the same or similar passwords for both business and personal accounts. A complex/unique password would be least eight characters long, would not contain the user’s name or business name, would not contain a complete word, would be significantly different from previous passwords and would contain characters from each of the following four categories: (1) uppercase letters; (2) lowercase letters; (3) numbers; and (4) non-letter/non-number symbols found on the keyboard.
- Store passwords securely. Don’t store all network user credentials in clear readable text anywhere on the system that would allow a successful hacker to gain access to the entire network. Also consider establishing policies to prohibit employees from storing administrative passwords in plain text in personal email accounts. Finally, consider other protections, such as two factor authentication, that can help protect against password compromises.
- Guard against brute force attacks. Hackers often use automated programs that work by typing endless combinations of characters until the program matches a user’s password. Consider suspending or disabling a user’s credentials after a certain number of unsuccessful login attempts. Consider implementing a policy to suspend or disable user accounts after repeated login attempts to help eliminate the risk from such brute force attacks.
- Protect against authentication bypass. Work with business network administrators to identify and close any software “back doors” and test for common vulnerabilities that might allow a hacker to bypass the system’s authentication requirements and gain unauthorized access to the business’ network.
Store Sensitive Personal Information Securely And Protect It During Transmission.
- Keep sensitive information secure throughout its lifecycle. Data often does not stay in one place. Accordingly, consider data security at all stages, especially if transmitting data with sensitive information is a necessity. For example, if data is secured by encryption for transmission, ensure that its stays secure throughout its lifecycle and not just during the initial transmission.
- Use industry tested and accepted methods. When considering what technical standards to follow to secure data, don’t start from scratch when it isn’t necessary. Use tried and true industry tested and accepted methods for securing data.
- Ensure proper configuration. Encryption software offers no protection unless it is configured properly. If a business opts to utilize encryption software to secure data, ensure that the encryption software is properly configured.
Segment Networks And Monitor Who’s Trying To Get In And Out.
- Segment your network. Protect particularly sensitive information by housing it in a separate secure place on the network.
- Monitor activity on networks. Utilize an intrusion detection system and monitor system logs for suspicious activity. Hackers often exploit network weaknesses, install malicious programs on the hacked network to collect stored sensitive information and then send the information to themselves outside the network. Reduce the risk of a data compromise by using tools to monitor activity (both inbound and outbound) on the network.
Secure Remote Access To Networks.
- Ensure endpoint security. A network is only as strong as the weakest security on a computer with remote access to it. Ensure that computers with remote access to the network have appropriate endpoint security. Reduce risks by securing computers that have remote access to the network with basic security measures, such as firewalls and updated antivirus software.
- Put sensible access limits in place. Restrict third party access to the network by placing limits on such third party access, such as restricting connections to specified IP addresses or granting temporary, limited access.
Apply Sound Security Practices When Developing New Products.
- Train engineers in secure coding. If software developers are utilized, explain to the developers the need to keep security at the forefront and emphasize the need for secure coding practices.
- Follow platform guidelines for security. Require developers to follow explicit platform guidelines about secure development practices.
- Verify that privacy and security features work. If a business offers software that features a privacy or security feature, verify that the feature works as advertised.
- Test for common vulnerabilities. If developing new software applications, test for commonly known vulnerabilities. For example, the Open Web Application Security Project (OWASP) top ten list represents a broad consensus of the most critical web application security flaws (www.owasp.org).
Make Sure Service Providers Implement Reasonable Security Measures.
- Put it in writing. Insist that appropriate security standards be incorporated in all service provider contracts. Consider obtaining and reviewing a copy of the service provider’s written security policies.
- Verify compliance. Follow up on the security standards in contracts with service providers by building periodic oversight into the contracting process. Periodic verification of compliance with contractually required security standards can help reduce the risk of a compromise by the service provider.
Put Procedures In Place To Keep Security Current And Address Vulnerabilities That May Arise.
- Update and patch third-party software. Outdated software obviously undermines security. Establish a reasonable process to update and patch third party software to reduce the risk of a compromise.
- Heed credible security warnings and move quickly to fix them. Establish a procedure to receive and address software security vulnerability reports and security alerts. Once alerted, move quickly to address vulnerabilities.
Secure Paper, Physical Media And Devices.
- Securely store sensitive paper files. While security of electronic information is critical, do not forget paper files. If it’s necessary to retain sensitive paper files, take steps to ensure the paper files are secure.
- Protect devices that process personal information. Securing information stored on the network will not protect data that has already been stolen through a device that collects it before reaching the network. For example, attacks targeting point of sale devices are now common and well known, and businesses should take reasonable steps to protect such devices from compromise.
- Keep safety standards in place when data is en route. Secure sensitive information when it’s outside the office. Unencrypted backup tapes, laptops, external hard drives and smartphones which contain sensitive information create a risk of compromise. When there is a legitimate business need to travel with such unencrypted sensitive information, keep it out of sight and under lock and key.
- Dispose of sensitive data securely. Shred, burn or pulverize paper documents to make them unreadable and use available technology to wipe devices that aren’t in use.
Sound privacy/data security policies are no accident. While the specific threats to business involving privacy and data security issues tend to evolve over time, sound privacy/data security practices do not. Establishing sound privacy/data security practices is a continuous process of assessing options and making reasonable choices based on the nature of a given business and the character of the information involved. Making privacy/data security a conscious factor in all your business decision making can help your business establish effective policies to protect and manage the sensitive information collected and used by your business. Consideration by your business of the privacy/data security principles outlined above should help significantly reduce the risk to your business of a data compromise involving such information.