Data security was back in the news this past week as President Obama called on Congress to pass legislation to combat cyber crime, develop a consumer privacy bill of rights, and enact a federal data breach notification standard. The latest steps were a sign from the White House of a renewed focus on cybersecurity and privacy in the wake of 2014’s high profile breaches at Sony, Home Depot, and Target (News - Alert). The new government emphasis on privacy is a reminder to companies to take the time in the New Year to reassess their own practices.
Assessing Cybersecurity Risk
In the face of new standards and the likelihood of new enforcement action, the government’s signal to management should be clear: companies need to reassess and strengthen their defenses of customer, employee, and proprietary data. Conducting a regular Privacy Impact Assessment (PIA) can help.
DOWNLOAD PRIVACY IMPACT ASSESSMENT QUESTIONNAIRE
In fact, risk assessment is a major goal of President Obama’s cybersecurity proposal, which is designed to collect information from businesses to identify and combat risk. The White House proposes to provide liability protection for companies that share real-time, cyber threat-related data with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) and with Information Sharing and Analysis Organizations (ISAOs). The aim of the government is to then analyze the data to enable law enforcement to better fight cyber crime.
The Executive Branch has determined – and rightly so – that in an ecosystem where technologies and threats evolve so quickly, the first step to cybersecurity is collecting the necessary information to assess risk. To help your business take similar steps, we have developed a Privacy Impact Assessment (PIA) designed to determine the scope, justification, and operating procedures for your company’s systems that collect, store or process sensitive personal data.
When it comes to addressing privacy risks, our firm recommends that your business is proactive, not reactive. Companies should conduct a PIA regularly, at least twice a year, to identify vulnerabilities while still leaving sufficient time to develop improvements and build a remediation plan.
Compliance Best Practices
In addition to assessing and managing risk, companies should consider taking steps to comply with privacy best practices. Fortune 1000 companies are already emphasizing new privacy initiatives, increasing their annual privacy budget to $3 billion in 2015. Regardless of the legislative success of recent White House proposals, companies that prepare for privacy risk and communicate effectively with their customers will be better positioned to weather unintended data breach emergencies.
The Federal Trade Commission (FTC (News - Alert)) has signaled it will come down hard on companies that publish false, “bait-and-switch” statements regarding their handling of customer data. In late December, the FTC approved a final order settling charges that Snapchat deceived its users by inaccurately characterizing the way its messages “disappear” after receipt, and by inaccurately disclosing the amount of personal data collected and the measures taken to protect that data from misuse and unauthorized disclosure. As part of the settlement, the FTC required Snapchat “to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.”
Companies should ensure that their privacy policies accurately reflect how they collect, store and transmit data. They should not be written to sound “consumer-friendly” if the policy does not reflect actual data practices. Enforcement agencies can and will crack down where gaps exist.
2. Tighten Access Restrictions
You probably already recognize that restricting access to sensitive company data like trade secrets is necessary in today’s competitive business environment. And if you are a telecom service provider, you are already aware of the need to protect customer data including Customer Proprietary Network Information (CPNI). Systems storing this data should be designed to emphasize security and to ensure access is limited on a “need-to-know” basis.
Just as important is that companies train employees to prevent unauthorized use of computers. Companies should assess the potential risk of allowing employees to open their own email or use their own USB drives on computers, which could open company networks to malware intrusions. Similarly, companies should monitor network access of vendors that use company networks. In last year’s Target breach, for instance, attackers broke into the company’s network through a third party provider of refrigeration and HVAC systems.
3. Data Breach Preparedness
Companies of all sizes should consider implementing monitoring systems to scan for breaches and developing plans for responding to potential attacks. State laws currently govern customer notification in the case of a data breach, but President Obama’s proposal would institute a federal standard requiring notification of customers within 30 days. When a breach happens, company statements to consumers should be accurate to avoid scrutiny from the FTC or FCC (News - Alert).
Breaches can be costly, and companies should re-assess what customer data is kept, where it is kept, and how long the data should be stored. Businesses should then weigh the risk of a breach against the cost of increasingly-popular data breach liability insurance.
4. Appoint a Privacy Professional
Developments at the FCC and in Europe point to a growing consensus among regulators on the need for companies to have a privacy officer. Last October, the FCC fined two carriers, TerraCom, Inc., and YourTel America, Inc., $10 million for compromising sensitive personal data after promising to protect it. As part of the settlement, the FCC made a deal of sorts with the companies that it would consider reducing the fine if the carriers took steps to mitigate the impact on customers, with a key step being to appoint a Chief Privacy Officer. This was a rare concession from the FCC, and it sends a signal to the industry that when the FCC reviews data breaches for liability it will be looking directly at the management structure behind a business’ data security apparatus.
The FCC’s message comes at a time when companies that do business in Europe or use European infrastructure to store or transmit data should already be paying attention to the reform of data protection legislation currently under consideration. A key legislative provision would require companies to hire a Data Protection Officer to inform and advise management of data protection obligations. The legislation contemplates steep fines for noncompliance of as much as 2 percent of a company’s revenue or, if greater, €1 million. The legislation has not yet been enacted, but the message is clear that businesses should strongly consider appointing a privacy officer capable of ensuring the protection of personal information.
Every business that handles consumer data should assess for itself the costs and benefits of compliance. Our firm can assist you in completing and analyzing your Privacy Impact Assessment and complying with privacy best practices.
Linda McReynolds is a Senior Attorney at Marashlian & Donahue, LLC, The CommLaw Group (www.CommLawGroup.com) and Certified Information Privacy Professional/U.S. (CIPP/US). The CommLaw Group has been honored as the Leading Customer Service Law Firm of the Year and Best Communications Law Firm in the U.S. by ACQ Global Awards for three consecutive years. Ms. McReynolds may be reached at lgm@CommLawGroup.com. Linda was assisted by Alex Schneider in the preparation of this article.
Edited by Stefania Viscusi