What Are You Doing to Protect Customers' Information?
What are you doing to protect your customers' data and information?
That is the question at the heart of the Federal Trade Commission's new "Start with Security" business education initiative. The FTC announced the initiative in late June with the goal of helping businesses bolster their efforts to protect consumers. To meet this goal, the FTC will draw on its' 54 data security cases to share lessons learned and offer helpful tips.
As part of the initiative, the FTC will be hosting a series of conferences across the country. The conferences will provide information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability responses. The first event is to be held this fall in San Francisco, while the second event is scheduled for Austin, Texas. We will keep you posted if there is an event close to Erie.
In addition to the conferences, the FTC also released a "Start with Security" guidance for businesses. Again, the guidance draws from the FTC's data security cases to provide practical tips. Here are the FTC's ten recommendations:
- Start with security.
- Control access to data sensibly.
- Require secure passwords and authentication.
- Store sensitive personal information securely and protect it during transmission.
- Segment your network and monitor who's trying to get in and out.
- Secure remote access to your network.
- Apply sound security practices when developing new products.
- Make sure your service providers implement reasonable security measures.
- Put procedures in place to keep your security current and address vulnerabilities that may arise.
- Secure paper, physical media, and devices.
The FTC's initiative comes on the heels of two other, recent reports that provide some insights for businesses dealing with cyber risks.
First, Unisys, a global information technology company, released a report on consumers' concerns about data security and retail stores. The report noted that "[c]oncern about unauthorized access [to customers' information] in retail is high, as consumers seem to be less trusting of retailers owing to recent high profile data breaches at several retail chains." This should not come as a surprise to businesses after seeing the impact of data breaches on retail companies, such as Target and Home Depot. Instead, it should serve as another reminder that, in addition to the direct costs of dealing with a data breach, your business must also worry about the reputational costs.
The other report came from Deloitte, the worldwide accounting firm. This report focused on the cyber risks posed to retail businesses. It offered four issues to think about when evaluating how to protect your business from cyber threats:
- Compliance does not always equal risk management. By this point, Deloitte noted that just complying with the regulations is not enough and retailers need to take a more proactive approach to data security.
- Breach response readiness is top-of-mind as companies scramble to shore up detection. Businesses should have a plan in place to respond immediately in the event of a breach.
- External intelligence will place a crucial role in the war against cyber threats. Assessing cyber risks is an ongoing and constantly changing process.
- Cyber risk is a business issue. Board members should be more involved in evaluating what your business is doing to prevent, detect, and respond to cyber threats.
If you: (1) have questions about any of these reports; (2) need recommendations of service providers to help you protect your customers' information; or, (3) have questions about your legal obligations with respect to customers' information, please contact our office at 814-870-7600 or complete this form on our website.