Corporate compliance officers grapple all the time with what their companies should do to develop effective information protection programs. Thankfully the Federal Trade Commission has given us two recent enforcement actions that we can study to answer that question.
The two cases, against an online liquor store and an online student services business, are eerily similar. Both companies allowed poor cybersecurity practices to take root in their operations and didn’t bother to implement well-known, relatively straightforward protection measures. Those lapses left the companies exposed to internal and external threats alike – and sure enough, both companies suffered painful data breaches.
The FTC then imposed consent decrees against both companies, requiring steps such as better security training, more comprehensive written policies, and more frequent risk assessments.
Taken together, the two settlements read like a set of cybersecurity best practices that the FTC (and other regulators) wants companies to adopt. And since the need for better information protection and privacy is going nowhere but up, compliance officers would do well to understand what those best practices are.
Begin with the failures
We can start with a review of what these companies didn’t do to protect the personal data in their possession. Skimming through the FTC complaints, we find failures such as:
- No written policies, procedures, or practices for how to safeguard personal data
- Inadequate training on security procedures, for both employees and third-party contractors
- No monitoring of network activity to detect and (ideally) intercept unauthorized transfers of data outside the network
- Poor access control, including blunders such as not cutting off access for terminated employees, allowing weak passwords, and failing to use multi-factor authentication at appropriate places
- No data destruction policies and procedures to delete customer data no longer necessary for corporate operations
- Not encrypting sensitive data, or using obsolete encryption tactics that hackers already knew how to break
The above mistakes do span a wide range. Some are technical in nature, such as using outdated encryption keys or failing to monitor network activity. Others are failures of process, such as inconsistent security training or not cutting off access for terminated employees. And still more are policy failures – or, more precisely, not having any policies at all, for issues such as when to collect data or when to destroy it.
The theme connecting all of them, however, is that management never invested the time, attention, and resources to build a strong information protection program.
That’s the risk many companies face today. You grow so quickly that you fail to stop and ask: What information are we collecting about people? What privacy obligations do we incur when we collect it? And how can we uphold those obligations as we grow, our operations change, and external threats keep increasing too?
More than anything else, the FTC (and other regulators) want to see that companies take information protection seriously and integrate those concerns into business strategy and management oversight. That’s the message we can take away from these two recent FTC enforcement actions, and plenty of others coming down the pike these days. Regulators want to see a thoughtful, enterprise-wide, coordinated program to keep consumer information secure.
And what should that thoughtful program look like? The two FTC settlements have something to say about that, too.
Best practices for information protection
The FTC imposed consent orders on both companies, and the orders contained many of the same requirements. Among them:
- Naming a qualified employee to coordinate and be responsible for the information security program
- Annual training for all employees on how to protect information
- Adopting a data retention schedule, including provisions for deleting any data no longer needed for business purposes
- Comprehensive security assessments performed by a qualified, independent third party every other year
- Implementing multi-factor authentication (MFA) for any employees or third-party contractors when they access confidential information
A compliance officer might look at those terms and think, “Those are the elements of an effective compliance program! We’ve been doing stuff like that for anti-corruption for years!”
Well, yes. Conceptually, the FTC’s requirements here are similar to the elements of an effective compliance program as defined by the U.S. Sentencing Guidelines and the Justice Department. A designated person to lead the program; policies and procedures; oversight of third parties, internal controls, audits – they’re all there in the bullet points above, just reconfigured for the world of information protection.
That’s the point. Information protection programs can no longer be a slapdash effort left to the IT department. Rather, information protection needs to be a “whole of company” effort where every employee (and third party) understands that they need to handle company data with as much care as they would for company money.
Look no further than the first bullet point above, about naming a qualified employee to be responsible for the information protection program. One can make a strong argument that that person should not be the head of cybersecurity, because the duties involved – writing policy, setting policy, hiring auditors, running training – go far beyond what most cybersecurity professionals know how to do.
That’s not to say the compliance officer is a shoo-in for this job either, since other duties are decidedly technical in nature and might be outside the CCO’s comfort zone. Instead, the best approach here would be for senior leaders to define a role – CISO or chief privacy officer, for example – and then hire someone who can straddle both the technical and policy ends of the job.
Modern information protection programs will need other capabilities too, such as technology to help you track your compliance obligations and map out which controls you do or don’t have to fulfill those obligations. You’ll also need capabilities to assign remediation tasks and alert more senior people when those tasks aren’t done.
In the final analysis, however, the message from regulators is that information protection must be baked into a company’s culture and practices from the start. It’s going to require board-level support of the idea, strong individual leadership of the program, and robust capabilities within the program to give data protection the priority it deserves.
For more information about how NAVEX can help your organization’s compliance and information protection efforts