[BreachExchange] Best Practices For Implementing Internal Security Controls

[Inga Goddijn]

http://www.jdsupra.com/legalnews/best-practices-for-implementing-99475/

Many security risks can be avoided or mitigated by implementing sufficient
internal security controls which are tailored to the organization’s size,
needs, and specific industry.   The Federal Trade Commission (“FTC”) sets
forth best practices for implementing internal security controls which
includes avoiding unreasonable risk.  Although avoiding unreasonable risk
sounds like obvious advice, companies often fail to recognize ways such
risk can be avoided.  This article provides practical advice that companies
can use when implementing internal security controls to ensure unreasonable
risk is avoided.

First, companies must limit what personally identifiable or other protected
information is being collected.  Such information should only be collected
when there is a legitimate business need for it and only to the extent
necessary.  For example, in the case of *United States of America v.
RockYou, Inc.*, RockYou collected and stored email addresses and passwords
although these emails and passwords were not needed tp provide services to
RockYou’s customers.  RockYou also stored the passwords in clear text.
RockYou’s collection and storage of email addresses and passwords, without
a legitimate business need for such information, was found by the FTC to
create unreasonable risk with respect to this information and fined
$250,000.  In an age of “big data,” this case highlights the importance for
companies to only collect that information which is actually needed to
provide its services.

Second, companies must ensure that any personally identifiable or other
protected information this is collected, and is necessary in providing the
company’s services, is stored for only as long as the information is
actually needed.  In the case of *In the Matter of BJ’s Wholesale Club,
Inc.* the organization stored credit and debit card information that was
used to complete in-store transactions for up to thirty days even though
there was no legitimate need to keep this information for so long after the
transaction was completed.  Storing this information after the transaction
was complete, with no legitimate business reason, was found create
unreasonable risk with respect to the credit and debit card information.
As part of its settlement with the FTC, BJ Wholesale agreed to submit to
third party audits for a period of twenty years.  This case highlights the
fact that companies cannot store personally identifiable or other protected
information of its customers forever.  There must be mechanisms in place
that will routinely audit the information that is stored and delete any
information that is no longer needed.

Third, companies must limit the use of personally identifiable and other
protected information to only those situations when it is actually
necessary.  For example, in the case of *In the Matter of foru
International Corporation*, the company gave developers access to real
customer data during application development and in *In the Matter of
Accretive Health, Inc.,* the company used real personally identifiable
information during in-house trainings.  In both cases, the FTC found that
the companies used personal information when it was not necessary.

Companies must carefully consider ways in which unreasonable risk can be
avoided.  A well drafted internal control plan that addresses these issues
can significantly reduce security risks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160703/d9aa8865/attachment.html>