This week’s article, which is part of our new ongoing weekly series, “Cyber Insurance Compliance Insights from FTC Investigations” will reflect on why it is important for companies to store sensitive personal information securely and protect it during transmission.
Our weekly blog series is a spinoff of the new “Stick with Security: Insights into FTC Investigations”. This new weekly blog article series provides a recap of the FTC’s new weekly blog insights on data security and how these measures can help companies demonstrate cyber insurance compliance. For companies looking to obtain cyber insurance, it is essential to be able to effectively demonstrate that they have implemented baseline security measures.
First off, hackers can’t steal what you don’t have. Therefore, be sure your company’s collects, maintains and stores only the sensitive data it needs. Collecting sensitive on the off chance you might use it someday for something isn’t a sound policy. The wiser practice is to sensibly limit what you collect and then store it securely.
Got Data? Are you encrypting?
According to the FTC…. one important security tool is encryption. Encryption is the process of transforming information so that only the person (or computer) with the key can read it. Companies can use encryption technology for sensitive data at rest and in transit to help protect it across websites, on devices, or in the cloud.
Keep Sensitive Information Secure Throughout its Lifecycle
First off, does your company have a data retention policy? If you no longer have a need for the sensitive data your company is storing, and you’re not in a regulated industry with specific data retention timelines, don’t store what you no longer need. For example, if your company had a data breach with 10,000,000 sensitive customer records involved, whether that is new or old information, and based on 48 U.S. State privacy laws, your company will have to determine its data breach notification requirements based upon 10M customer records. This is why it is important to keep your company’s total sensitive record count under close watch and advisable to have this task designated to a specific individual in your company to handle.
In addition, it is important to create a data map lifecycle so that your company has a clear picture of how data is collected, maintained, and stored. This way, you know how sensitive data enters your company, moves through it, and exits. Once you have a handle on its journey through your system, it’s easier to keep your guard up at every stop along the way.
FTC Provided Example: Example: A recipe website allows customers to create individual profiles. In designing the registration page, the company considers the many categories of information it could ask for and narrows them down to the ones justified by a business reason. For example, the company considers asking for the user’s date of birth to tailor the site to recipes that might appeal to people of that demographic, but then decides to let consumers pick age ranges instead. By thinking through its need for the information and collecting a less sensitive kind of data, the company has made a more secure choice that will still allow it to tailor the user experience.
As it relates to cyber insurance, your company’s total record count is going to be used in factoring your company’s cyber and data risk, and will be used in assessing your company’s cyber insurance premium. I have had clients that have halted their cyber insurance underwriting process, in order to reassess and reduce their record count before moving forward with the underwriting process, and purchasing a cyber insurance policy. Besides using your record count in assessing your company’s cyber insurance premium, underwriters want to know how many individuals will need to be notified when a data breach happens. Nonetheless, the more records your company has, means a much more costlier data breach.
Use Industry Tested and Accepted Methods
The FTC advises that companies should use industry tested and accepted methods. This is certainly advised, however, while I’m not going to suggest that your company chase and purchase the latest and greatest security tools that come to market daily, it’s a good idea to keep an eye on new methods and developments as technology evolves… new innovations certainly arise that may be better than what’s currently available.
Ensure Proper Configuration
The SANS CIS control #3 advises to establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
CIS (Center for Internet Security) states that even if a strong initial configuration is developed and installed, it must be continually managed to avoid security “decay” as software is updated or patched, new security vulnerabilities are reported, and configurations are “tweaked” to allow the installation of new software or support new operational requirements. If not, attackers will find opportunities to exploit both network-accessible services and client software.
CIS Configuration Tips:
Establish standard secure configurations of operating systems and software applications.
Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise.
Please be sure to check back next week for more Cyber Insurance Compliance Insights from FTC Investigations.