[BreachExchange] Avoiding Data Breaches: Lessons From Regulations

[Audrey McNeil]

https://www.jdsupra.com/legalnews/avoiding-data-breaches-lessons-from-10413/

In January of 2017, an amendment to the Federal Acquisitions
Regulation(“FAR”) went into effect related to protecting private personal
information and requiring privacy training for all federal government
contractors. The regulations were issued pursuant to The Privacy Act of
1974. 5 U.S.C. § 552a. The Privacy Act governs federal agency collection,
maintenance, use, and dissemination of information about individuals that
is maintained their systems of records. The regulations provide some
interesting lessons for civilian companies in avoiding data breaches. See
F.A.R. Subpart 24.301.

Avoiding Data Breaches: Training is Needed

The first lesson from the regulations is that training of employees is
necessary.

How Often?

The second lesson is that training needs to be done regularly. The
regulations require annual training. This is not surprising given the speed
of advancements in technology, both in hardware and software. As quickly as
antidotes to computer viruses are created, more viruses are created. As
quickly as machine vulnerabilities are fixed, new access points are located.

When Must Employees be Trained?

And, all employees must receive their training at the beginning, before
they start handling this type of information.

Who Must be Trained?

This is one of the more interesting aspects of the regulations. Subpart
24.301 states that contractors must provide training to the following three
types of contractor employees:

- Those with access to a “system of records” being defined as a system from
which information can be obtained revealing the name of an individual or
any identifying number or mark that is distinctively assigned to the
individual
- Those who design, develop, maintain, and operate a “system of records”
- Those who create, collect, disclose, dispose of, disseminate, manage,
process, store or in any way handle personally identifiable information
(any data that can be used to determine an individual’s identity)

The government contracting officer is required to insert the
privacy-training clause in solicitations and contracts when any contractor
employees will have access to, or will design, develop, maintain, or
operate a system of records, or when contractor employees will handle
personally identifiable information.

What Does the Training Cover?

The regulations require contractors to cover certain topics with respect to
how this personal information should be handled and safeguarded. The
following elements are required:

- Unauthorized equipment — instructions about and limitations on use
- Confidentiality — rules
- Unauthorized use of the private information — who and what is prohibited
- How to properly handle and safeguard personal identifying information
- Information about the Privacy Act of 1974 and its role including
penalties for violations
- Procedures to follow in the event of an actual or suspected breach

Lessons for Private Sector Companies

There are many lessons for private sector companies that can be gleaned
from FAR subpart 24.301 for avoiding data breaches.

For businesses themselves, as noted, the first lesson is that training is
necessary and that it must be done often. Moreover, a very extensive
employee training regime is contemplated by the definitions of who is
required to be trained. We’ve written before, that employees are often the
first to identify a data breach. Training is mandated for anyone with
access, who designs, develops, maintains, and operates and for those who
handle the personal.

This either suggest company-wide training protocols or the need to design
the systems of records so that access is limited and segregated (thereby
decreasing the number of employees who need training).

Just as importantly, private-sector companies concerned about data
breaches, must strongly consider adding this type of training provision
vendor contracts any other contracts made with third-parties who will have
access to your system of records and who will handle the personal
identification information collected, held and controlled by your company.
Indeed, this may be necessary. If the government require privacy training
for their contractors, shouldn’t your business? As we discussed recently
with respect to the case of FTC v. Wyndham Worldwide Corp., 799 F. 3d 236
(3rd Cir. 2015), the Federal Trade Commission filed charges against Wyndham
partly because Wyndham failed to adequately restrict access to its servers
by third-party vendors and failed to restrict access to only those portions
of the network that were needed. Wyndham suffered several data breaches
where hackers stole personal and financial information for hundreds of
thousands of consumers. The hackers made over $10.6 million dollars in
fraudulent charges. The FTC and Wyndham eventually settled. See here.

What Should You Do?

- Review: A review of company policies and procedures should be done to
ensure that training is being provided for the full range of employees that
have access, are using or who are handling private information
- Audit: For larger companies, an audit is needed to detail exactly which
employees have access and to what extent and to determine who is using and
handling the private information
- Rewrite job descriptions: To the extent necessary, job duties and
descriptions should be reviewed and rewritten to consolidate access and
handling of private information
- Review current privacy procedures and policies should be reviewed to
confirm compliance and add training regimens
- Implement a training program
- Review vendor contracts and insert privacy training provisions if any
vendor employees will have access to, or will design, develop, maintain or
operate a system of records or when vendor employees will handle personally
identifiable information — require such training for subcontractors too
- Review independent contractor or consulting agreements for the same
reasons
- Keep good records: Knowing who had access and when helps with breach
containment and remediation; likewise, good records can help convince
governmental authorities that your business was diligent and will be
essential in any litigation that follows a data breach.

It can’t be emphasized enough, that business need to follow best
practicesand be aware of data breach notification laws both in the US and
EU. Data breaches can be costly both in terms of lost business from loss of
consumer confidence, required notifications and straight-forward costs in
terms of litigation costs and the costs of responding to government
investigators.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171127/7bcd4105/attachment.html>