Dan Appelman: Reducing enforcement risks for inadequate cybersecurity protections

Target, Sony, JP Morgan Chase, Home Depot, Neiman Marcus, Anthem and others have already reported significant security breaches. So it’s not surprising that the federal government and states are becoming increasingly aware of the need for strong data protection laws and their enforcement.

The Wyndham case discussed in the prior post held that the FTC has authority to bring legal action against companies that fail to employ reasonable cybersecurity measures to protect non-public consumer data.

What does the FTC expect? Companies collecting private consumer data must employ reasonable cybersecurity policies, programs and procedures that adhere to industry standards, and that take notice of the guidance provided by the FTC in public statements and its previous consent decrees.

But what the FTC expects today may not be the same as what the FTC expects tomorrow. Technology changes. Available cybersecurity tools get better and cheaper. Societal expectations increase. So “reasonable cybersecurity measures” is a moving target. Consequently, cybersecurity policies, programs and procedures must be regularly reviewed and updated to account for changes over time in technology, company practices and legal and regulatory requirements.

That being said, companies collecting personal information from consumers can minimize the risk of an enforcement action by doing the following:

Assume that your company will be a target for hackers and plan accordingly.  Don’t wait to institute good security measures until after you are attacked.

Deploy regularly updated firewalls, antivirus, and web security solutions throughout your network.

Change passwords frequently, especially administrator passwords; and don’t allow easily guessed passwords.

Map your consumer private data so you know where it is, where it is moved, where it is backed up and archived, and what protections are in place to secure it.

Use strong encryption for protecting sensitive data, particularly personal and financial information belonging to consumers.

Limit access to only those employees who have a “need to know” and require them to change their passwords frequently. Each such employee should have his/her own user account with a unique user name and password to enhance accountability and traceability.

Back up sensitive data frequently.

Update software frequently-intruders often find and use flaws in operating systems and browsers that are subsequently fixed by the vendors in updates.

Limit administrator privileges to prevent installation of unauthorized software.

Perform background checks on employees having any access to sensitive information or data.

Develop an incident response plan with written procedures; and designate an appropriate incident response team.

Document breaches systematically and in writing when they occur.

Keep abreast of changing industry and FTC guidelines, including the guidance provided by previous FTC enforcement actions.

Determine whether outside help is needed to terminate the breach, prevent recurrence and comply with notification and other legal requirements.

Finally, remember that the FTC is not the only governmental entity charged with enforcing cybersecurity practices to protect consumer data.

California, for example, has the Information Practices Act — part of the California Civil Code. It requires businesses that own, license or maintain personal information about California residents (including consumer information) to implement and maintain reasonable security procedures and practices to protect that personal information from unauthorized access, destruction, use, modification or disclosure. See Cal. Bus. & Prof. Code §§ 17200, 17202-17206.

Violations of the Information Practices Act can be enforced through the remedies provided by California’s Unfair Competition Law.

Other states have similar laws.

_______

Daniel Appelman is a partner in the Menlo Park-bsed law firm of Montgomery & Hansen LLP. His practice focuses on complex technology-related transactions and strategic alliances. He’s a former chair of the California Bar’s Cyberspace Law Committee, vice chair of the American Bar Association’s Privacy and Information Protection Committee,former vice chair of the California Bar’s Business Law Section, and a member of the International Bar Association’s Technology Law Committee. He holds a JD from the UCLA School of Law and a Ph.D. in telecommunications law and public policy from Temple University. He can be contacted here.