Our new weekly series, “Cyber Insurance Compliance Insights from FTC Investigations” is a spinoff of the new “Stick with Security: Insights into FTC Investigations”. This new weekly blog article series provides a recap of the FTC’s new weekly blog insights on data security and how these measures can help companies demonstrate cyber insurance compliance. For companies looking to obtain cyber insurance, it is essential to be able to effectively demonstrate that they have implemented baseline security measures.
According to the FTC, when it comes to data security, what’s reasonable will depend on the size and nature of your business and the kind of data you deal with. But certain principles apply across the board: Don’t collect sensitive information you don’t need. Protect the information you maintain. And train your staff to carry out your policies.
Don’t Collect Personal Information You Don’t Need
Indeed, there will be data your company must collect and maintain, but the old habit of collecting confidential information “just because” doesn’t hold water in the cyber era or with the FTC. As it relates to cyber insurance compliance, while collection of data is expected, how your company collects, maintains and stores that data, and who has access to it is key. Your company must be able to demonstrate this to a cyber insurance underwriter. Today, “it’s all about the data” and the moment that data is breached, the last thing your company wants to encounter is a denied cyber insurance claim.
There’s another advantage of collecting only what you need. A lean subset of confidential data is easier to protect than massive amounts of sensitive information stockpiled on networks and in file cabinets throughout your company. According to the FTC, businesses that sensibly limit what they collect have already reduced their security risks and streamlined their compliance procedures. As it relates to cyber insurance, the number of sensitive records matters since it is a factor in assessing the premium and responding to a data breach. Therefore, “it’s all about how your company is protecting and securing its sensitive data.”
FTC Provided Example: A bakery sends customers a coupon for a free birthday muffin. Rather than maintaining a record of all customers’ dates of birth – information that could be combined with other data and used for unauthorized purposes – the bakery directs its cashiers to add only the customer’s name, email address, and birth month to the database. Although there are legitimate reasons why other businesses might need to retain a customer’s date of birth, the exact day, month, and year isn’t necessary for the bakery’s birthday promotion.
Hold Onto Sensitive Information Only As Long As You Have a Legitimate Business Need
Security-conscious companies make it a practice to review the data in their possession periodically, assess what they should maintain, and securely dispose of what’s no longer needed. While there are certain industries that must comply with regulatory data retention requirements regulations, for those industries that are not regulated, a good best practice would be to establish minimum requirements of a data retention program, and to create a data retention policy. The objectives of a data retention policy are to keep important information for future use or reference, to organize information so it can be searched and accessed at a later date and to dispose of information that is no longer needed. As it relates to cyber insurance, and as mentioned above, your company’s total record count is a factor when assessing your company’s cyber insurance premium, and data breach response. If your company is holding onto sensitive data it no longer needs, and a data breach happens, your potential insurance claim will certainly be much more costly than it would have been if your company had purged any sensitive data that was no longer needed. This is why for those companies that maintain a large record count of sensitive individual records, tend to have higher cyber insurance premiums.
Don’t Use Personal Information When It’s Not Necessary
Train Your Staff on Information Security and Data Privacy Standards
While the FTC does not expect your company to send your entire staff off to get degrees in Information Security and Data Privacy, it is expected, and deemed a best practice that your company is educating its staff on the standards you expect them to uphold. According to the FTC, since the nature of your business may change and threats will evolve, conduct “all hands on deck” refreshers to explain new policies and reinforce your company’s rules of the road. As it relates to cyber insurance, and according to Beazley’s July 2017 Breach Insights, accidental breaches caused by employee error or data breached while controlled by third party suppliers continue to be a major problem, accounting for 30% of breaches overall. Therefore, if you have employees, be sure that your educating them on the information security and data privacy standards you expect them to uphold.
FTC Provided Example: Before new employees are given network access, a company requires them to participate in in-house training. To encourage their attention, the presentation features brief interactive quizzes. In addition, the company includes security-related tips in its weekly email updates to all employees and periodically requires them to take refresher courses. By training its staff on how to handle sensitive data and reinforcing its policies with regular reminders and supplemental security education, the company has taken steps to encourage a culture of security.
When Feasible Offer Consumers More Choices
According to the FTC, think through your data collection practices both in the day-to-day operation of your business and in the products, services, apps, etc., you offer consumers. Design your products to collect sensitive information only if it’s necessary for functionality and clearly explain your practices to consumers up front. Consider how you can use default settings, set-up wizards, or toolbars to make it easier for users to make more secure choices. For example, if your product offers a range of privacy choices – from secure settings for less experienced users to advanced options for “black diamond” pros – set the out-of-the-box defaults at the more protective levels. As it relates to cyber insurance, for those companies that are developing software and other products, it is important that your company builds in security and privacy protections before releasing your software and/or product.
Please be sure to check back next week for more Cyber Insurance Compliance Insights from FTC Investigations.