<div dir="ltr"><a href="http://www.jdsupra.com/legalnews/best-practices-for-implementing-99475/">http://www.jdsupra.com/legalnews/best-practices-for-implementing-99475/</a><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><p>
Many security risks can be avoided or mitigated by implementing
sufficient internal security controls which are tailored to the
organization’s size, needs, and specific industry. The Federal Trade
Commission (“FTC”) sets forth best practices for implementing internal
security controls which includes avoiding unreasonable risk. Although
avoiding unreasonable risk sounds like obvious advice, companies often
fail to recognize ways such risk can be avoided. This article provides
practical advice that companies can use when implementing internal
security controls to ensure unreasonable risk is avoided.</p>
<p>
First, companies must limit what personally identifiable or other
protected information is being collected. Such information should only
be collected when there is a legitimate business need for it and only to
the extent necessary. For example, in the case of <em>United States of America v. RockYou, Inc.</em>,
RockYou collected and stored email addresses and passwords although
these emails and passwords were not needed tp provide services to
RockYou’s customers. RockYou also stored the passwords in clear text.
RockYou’s collection and storage of email addresses and passwords,
without a legitimate business need for such information, was found by
the FTC to create unreasonable risk with respect to this information and
fined $250,000. In an age of “big data,” this case highlights the
importance for companies to only collect that information which is
actually needed to provide its services.</p>
<p>
Second, companies must ensure that any personally identifiable or other
protected information this is collected, and is necessary in providing
the company’s services, is stored for only as long as the information is
actually needed. In the case of <em>In the Matter of BJ’s Wholesale Club, Inc.</em>
the organization stored credit and debit card information that was used
to complete in-store transactions for up to thirty days even though
there was no legitimate need to keep this information for so long after
the transaction was completed. Storing this information after the
transaction was complete, with no legitimate business reason, was found
create unreasonable risk with respect to the credit and debit card
information. As part of its settlement with the FTC, BJ Wholesale
agreed to submit to third party audits for a period of twenty years.
This case highlights the fact that companies cannot store personally
identifiable or other protected information of its customers forever.
There must be mechanisms in place that will routinely audit the
information that is stored and delete any information that is no longer
needed.</p>
<p>
Third, companies must limit the use of personally identifiable and
other protected information to only those situations when it is actually
necessary. For example, in the case of <em>In the Matter of foru International Corporation</em>, the company gave developers access to real customer data during application development and in <em>In the Matter of Accretive Health, Inc.,</em>
the company used real personally identifiable information during
in-house trainings. In both cases, the FTC found that the companies
used personal information when it was not necessary.</p>
<p>
Companies must carefully consider ways in which unreasonable risk can
be avoided. A well drafted internal control plan that addresses these
issues can significantly reduce security risks.</p></div></div></div></div></div></div></div></div></div>
</div>