Data Breach Prevention

Almost daily, news breaks of another corporate data breach that puts millions of customer’s sensitive data in the hands of hackers. No company is safe from data breaches, as even the most secure corporations have fallen prey to a cyberattack.

Any business that collects personal information from consumers is required to have a security plan to protect the confidentiality and integrity of their information. With that in mind, here are some best practices for data breach prevention, and how to design and implement them so you and your customers can sleep easy knowing your data is safe.

What Is a Data Breach?

With so many of us dependent on the internet for work, you’ve no doubt heard all about data breaches. But did you know that there are three different major types of breaches?

Here’s a quick overview of each:

• Electronic Breach – An electronic breach can occur without hackers having to physically seize any device. Anytime an unauthorized user gains access to a system or network electronically, this type of breach is what has occurred.
• Physical Breach – Let’s say you’re working remote at your favorite coffee shop. You get up to go get another cup of coffee and come back to your table to find that your laptop is no longer there. This is a classic example of a physical data breach. Stolen laptops, tablets, smartphones and flash drives are all easy targets thieves and hackers alike.
• Skimming – No, this doesn’t refer to how you “read” your work emails. Skimming is a type of data breach where your credit card information is captured and recorded by a device without your knowledge. It can happen when you swipe your card at the gas station, or even while waiting in line for the second cup of joe.

Fear not though, as the best way for you to prevent a data breach of your property is to simply heighten your awareness. Never leave anything that holds data outside of your reach.

Sadly, data breaches are nothing new, and they aren’t going anywhere. But not all data collectors are doing so nefariously or for personal gain. In fact, financial institutions, since they collect a wide array of data from their clients, are kept in check thanks to the Safeguard Rule.

What Is the Safeguards Rule?

When consumers open an account, register to receive information, or purchase a product from a business, it is very likely that they will entrust their personal information as part of the process. If this information is compromised, the consequences can be far-reaching: consumers can be at risk of identity theft, or they can discontinue dealing with the business.

A business that collects personal information from consumers should have a security plan to protect the confidentiality and integrity of the information. This is why the Federal Trade Commission (FTC) has issued the Safeguards Rule as part of the Gramm-Leach-Bliley (GLB) Act. The GLB Act and Safeguards Rule requires financial institutions that collect personal information from their customers to ensure the security and confidentiality of that private information.

The Safeguards Rule applies to businesses, regardless of size, that are "significantly engaged" in providing financial products or services to consumers. This includes:

• Check-cashing businesses
• Data processors
• Mortgage brokers
• Non-bank lenders
• Personal property or real estate appraisers
• Professional tax preparers
• Courier services
• Retailers that issue credit cards to consumers

The Safeguards Rule also applies to financial companies, like credit reporting agencies and ATM operators, that receive information from other financial institutions about their customers. In addition to developing their own safeguards, businesses are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

The threats to the data security of a business’ information are varied – from computer hackers to disgruntled employees to simple carelessness. While protecting computer systems is an important aspect of information security, it is only part of the process. We’ve gathered key information on how businesses can protect personal information from a data breach, as well as additional resources to help design and implement an information security plan.

Security Planning for Data Breaches

Sound information and data security for a business means regular risk assessment, effective coordination and oversight, and prompt response to new developments. Basic steps in information and data security planning for breach prevention include:

• Identifying internal and external risks to the security, confidentiality and integrity of customers’ personal information.
• Designing and implementing safeguards to control the risks.
• Periodically monitoring and testing the safeguards to be sure they are working effectively.
• Adjusting the security plan according to the results of testing, changes in operations or other circumstances that might impact information security.
• Overseeing the information handling practices of service providers and business partners who have access to the personal information. If access to records or the computer network is provided to another organization, they should have good security programs, as well.

When setting up a security program, businesses should consider all the relevant areas of its operations, including employee management and training, information systems like network and software design, information processing and contingencies that include preventing, detecting and responding to a system failure.

Although the security planning process is universal, there’s no “one size fits all” security plan. Every business faces its own special risks. The administrative, technical, and physical safeguards that are appropriate really depend on the size and complexity of the business, the nature and scope of the business, and the sensitivity of the consumer information it keeps.

Risk Assessment and Controls

Computer systems are not a business’ only responsibility related to information security, but they are an important one. With new vulnerabilities announced near weekly, and cybercrime on the rise, many businesses may feel overwhelmed trying to keep current.

Guidance is available from leading security professionals who put together consensus lists of vulnerabilities and defenses so that every organization, regardless of its resources or expertise in information and data security, can take basic steps to reduce its risk of a data breach.

One of these lists is the OWASP Top Ten, a resource that describes common vulnerabilities for web applications and databases, and the most effective ways to address them. Another is the CIS Controls, a set of guidelines and actionable solutions to stopping cyberattacks.

The lists identify the commonly exploited vulnerabilities that pose the greatest risk of harm to information systems. A business can use these lists to help prioritize its efforts so that the most serious threats are tackled first.

How to Secure Information to Help Prevent a Data Breach

When a business implements safeguards, it should consider all areas of its operation, including three areas that are particularly important to information security: employee management and training, information systems and managing system failures. The business should consider implementing the following practices in these areas.

Employee management and training

The success or failure of your information security plan depends largely on the employees who implement it. You may want to check references prior to hiring employees who will have access to customer data.

Ask every new employee to sign an agreement to follow your organization's confidentiality and security standards for handling customer data and information.

Train employees to take basic steps to maintain the security, confidentiality, and integrity of customer data, such as:

• Locking rooms and file cabinets where paper records are kept
• Using password-activated screensavers
• Using strong passwords (at least eight characters long)
• Changing passwords periodically, and not posting passwords near employees' computers
• Encrypting sensitive customer information when it is transmitted electronically over networks or stored online
• Referring calls or other requests for customer information to designated individuals who have had safeguards training
• Recognizing any fraudulent attempt to obtain customer information and reporting it to the appropriate law enforcement agencies

Instruct and regularly remind all employees of your organization's policy — and the legal requirement — to keep customer data and information secure and confidential. You may want to provide employees with a detailed description of the kind of customer information you handle (name, address, account number, and any other relevant information) and post reminders about their responsibility for security in areas where such information is stored - in file rooms, for example.

Limit access to customer information to employees who have a business reason for seeing it. For example, grant access to customer information files to employees who respond to customer inquiries, but only to the extent they need it to do their job.

Develop secure information systems

Information systems include network and software design, information processing, storage, transmission, retrieval and disposal. The following are suggestions on how to maintain security throughout the life cycle of customer information — from data entry to data disposal.

• Store records in a secure area and make sure only authorized employees have access to the area
• Store paper records in a room, cabinet or other container that is locked when unattended
• Ensure that storage areas are protected against destruction or potential damage from physical hazards, like fire or floods
• Store electronic customer information on a secure server that is accessible only with a password — or has other security protections — and is kept in a physically-secure area
• Do not store sensitive customer data on a machine with an Internet connection
• Maintain secure backup media and keep archived data secure, for example, by storing off-line or in a physically-secure area

Provide for secure data transmission

Consider enacting the following to make sure sensitive data is safely transferred.

• If you collect credit card information or other sensitive financial data, use a Secure Sockets Layer (SSL) or other secure connection so that the information is encrypted in transit
• If you collect information directly from consumers, make secure transmission automatic
• Caution consumers against transmitting sensitive data, like account numbers, via electronic mail
• If you must transmit sensitive data by electronic mail, ensure that such messages are password protected so that only authorized employees have access

Dispose of customer information in a secure manner

Confidential information needs to be disposed of as safely as possible so that cyberthieves aren’t able to access it. Be sure to:

• Hire or designate a records retention manager to supervise the disposal of records containing nonpublic personal information
• Shred customer information recorded on paper
• Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contain customer information
• Effectively destroy the hardware
• Promptly dispose of outdated customer information
• Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information. For example, supplement each of your customer lists with at least one entry (such as an account number or address) that you control, and monitor use of this entry to detect all unauthorized contacts or charges
• Maintain a close inventory of your computers

Managing System Failures

Effective security management includes the prevention, detection, and response to attacks, intrusions, or other system failures. Effective ways to maintain up-to-date appropriate programs and controls include:

• Following a written contingency plan to address any breaches of your physical, administrative, or technical safeguards
• Checking with software vendors regularly to obtain and install patches that resolve software vulnerabilities
• Using anti-virus software that updates automatically
• Maintaining up-to-date firewalls, particularly if you use broadband Internet access or allow employees to connect to your network from home or other off-site locations
• Providing central management of security tools for your employees and passing along updates about any security risks or breaches
• Take steps to preserve the security, confidentiality, and integrity of customer information in the event of a computer or other technological failure. For example, back up all customer data regularly
• Maintain systems and procedures to ensure that access to nonpublic consumer information is granted only to legitimate and valid users. For example, use tools like passwords combined with personal identifiers to authenticate the identity of customers and others seeking to do business with the financial institution electronically
• Notify customers promptly if their nonpublic personal information is subject to loss, damage or a data breach

How to Properly Dispose of Consumer Report Information

In an effort to protect the privacy of consumer information and data to reduce the risk of fraud and identity theft, a federal rule requires businesses to take appropriate measures to dispose of sensitive information derived from consumer reports.

Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule (Opens in a new tab). The Rule requires the proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.”

According to the FTC, the standard for the proper disposal of information derived from a consumer report is flexible, and allows the organizations and individuals covered by the Rule to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology.

Protection Can Come in Many Forms

As you begin to undertake the tasks above in an effort to secure your business from data breaches, remember to back up your important files to an encrypted, offsite, redundant storage facility. Taking on the task of getting your data secure can feel overwhelming, and it’s here where accomplishing small goals each day will pay off.

While you’re thinking about protecting your data, remember to take time out and review your business policy with an agent. You’re going to find coverage that fits your business’ needs, and feel great knowing that you’re protected from whatever might come your way.

This article is for informational purposes only and is available through different sources. This information does not, and is not intended to, constitute legal advice. You should contact your attorney for legal advice specific to your situation.