A Strategy for Data Security: Battening Down the Hatches Part 2

All organizations, regardless of size or industry, have digital data to protect. This includes customer data, employee data, financial data, medical data, confidential business information, and intellectual property.

In the last year, the pandemic has forced many businesses to increase their electronic engagement with employees, customers, and suppliers, which has created a broader range of digital data susceptible to cyberthreats. Responding to a customer data breach can cost hundreds of thousands, if not millions, of dollars to address. The loss in brand confidence and reputation is incalculable.

What can businesses do? Develop a cybersecurity strategy to prevent breaches before they occur and contain them if they do.

What is data security?

Data security is the protection of digital information from unauthorized access, corruption or theft. A data security practice encompasses every aspect of securing information: physical security of storage devices, digital access controls, and organizational policies and procedures. Robust protocols secure information from outside threats, such as hacking, virus threats, fakesourcing, and phishing, as well as inside misuse and corruption. A strong data security policy employs protocols that are both technical (encryption, tokenization, data masking, redaction) and procedural (controlling access and retention of sensitive data).

Data security also implicates business obligations to protect customers’ private or confidential information as well as the business’s own proprietary information. For example, companies must handle in specific ways any identifying information about customers or website visitors it may obtain. Many laws and regulations create legal notice, use, and opt-out requirements for businesses in both regulated and non-regulated industries, often regardless of company size or revenue.

The pandemic has increased cybersecurity challenges. The Idaho Attorney General’s office reports that, since the beginning of the pandemic, phishing email scams are up 667%, 90% of the tens of thousands of new Coronavirus-related web domains are scams, and ransomware attacks have increased 72%. 

What is the law?

Unfortunately, there is no single national law that creates a cybersecurity checklist. There are federal statutes, some general and some industry-specific; state laws that address privacy, data security, and data breach responses; and even international laws that affect many U.S. companies. For example:

• Federal Trade Commission Act (FTC Act): The FTC Act prohibits unfair or deceptive practices in the marketplace. The FTC has extended security obligations regarding personal information to non-regulated industries to assert that a failure to provide appropriate information security for consumer personal information is itself an unfair trade practice.  
• Industry-specific privacy statutes: Gramm-Leach Bliley Act, GLBA (financial institutions); Health Insurance Portability and Accountability Act of 1996, HIPPA (healthcare sector); Privacy Act of 1974 (federal government).
• State privacy laws: For example, the California Consumer Privacy Act of 2018 (CCPA) gives California residents broad privacy rights regarding personal information that businesses—even businesses outside of California—collect about them.
• State unfair and deceptive trade practices laws: State consumer protection statutes typically require businesses to not engage in unfair or deceptive trade practices. The FTC has found that failing to take reasonable steps to protect consumer information can be an unfair practice, even if not a deceptive one.
• State laws regarding data breaches: Many states also have specific statutes detailing how a company must respond to a data breach incident. In Idaho, for example, any company that “conducts business in Idaho and that owns or licenses computerized data that includes personal information about a resident of Idaho” must, upon becoming aware of a security breach, (1) provide notice to the office of the Idaho attorney general within twenty-four hours, and (2) conduct a “reasonable and prompt investigation” to determine the likelihood that personal information has been or will be misused. See Idaho Code § 28-51-105(1).
• International laws: The General Data Protection Regulation 2016/679 (GDPR) requires companies receiving data of European Union residents to comply with broad privacy rights afforded in the European Union. Recent uncertainty about the ability of U.S. companies to comply with the GDPR has caused some companies to stop collecting data from EU residents altogether.

How to develop a data security protocol

To develop a data security protocol, companies should begin by evaluating several factors:

1. Physical security measures. Identify and secure the physical locations of your data, including computer servers, remote devices, and data storage units. This can be as simple as requiring both in-house and remote workers to keep their computers in locked offices or otherwise physically secured, implementing access-limitation protocols, and imposing authentication requirements.
2. Types of data. Identify the categories of data you receive and maintain, including personally identifiable information you collect from customers and other members of the public; trade secrets or other confidential business information; and personal information about employees.
3. Use of data. For each data category, determine how you collect it, who has access to it, whether it is manipulated, whether you provide it to third parties, where you store it, and how long you store it.
4. Third parties. Identify how you share information with third parties, including IT management, payroll processing, and human resources vendors, and for what purposes. Require third parties to agree to appropriate security measures for protecting and using data. Be aware that if a third-party data processor experiences a data breach, you may be responsible for complying with the notification and breach response requirements of your jurisdiction.
5. Technical security measures. Ensure you are utilizing appropriate technical security measures, such as encryption, tokenization, password-protection, two-step authentication, or biometric access, at each point of data transfer and storage.
6. Data breach protocols. Develop a meaningful and practical data breach protocol that complies with the law of your jurisdiction and that enables you to act quickly in the event of a data breach.
7. Data retention. Create data retention protocols that ensure you are complying with data retention policies and laws but not retaining private or confidential data longer than required.

Other measures to consider include designating a security officer, conducting a risk assessment, implementing security protocols, continually monitoring your data security program, and creating privacy notices.

There are multiple sources online to assist your company in developing a cybersecurity strategy. For example, the National Institute of Standards and Technology created a Preliminary Cybersecurity Framework to help guide businesses develop a cybersecurity strategy. The State of Idaho maintains a website focused on helping Idahoans understand cybersecurity. 

Cybersecurity strategies help businesses meet primary pandemic business concerns:  maintaining revenue, strengthening customer relationships, preserving employee structures, and staying afloat. A strategic investment in cybersecurity is manageable and worth it.