How a Security Response Plan Can Help Your Business Expect the Unexpected
May 24, 2010
by Lesley Fair
Taking steps to protect personal information in your files and on your computer can go a long way toward preventing a security breach. Nevertheless, breaches can happen. That’s why the Federal Trade Commission (FTC) recommends that companies have a plan in place to respond to security incidents before they occur. Putting together a “What if?” action strategy now may help reduce the impact an information breach can have on your business, your employees, and your customers.
Here are some tips from the FTC about customizing your company’s security response plan.
- View from the top. Senior management sets the tone for any organization’s commitment to data security. That’s why drafting, coordinating, and implementing your company’s response plan isn’t a job for a newcomer. Designate a well-respected senior official to head up your response team. Select someone with a reputation for working well with every part of your operation — sales, financial, personnel, information technology, etc. — and give him or her a “hot line” to the head of the company.
- Put a plan in place. Once you’ve put together your response team, have them draft contingency plans for how your business will respond to different kinds of security incidents. Some threats may come out of left field; others — a lost laptop or a hack attack, to name just two — are unfortunate, but foreseeable.
- Trust your gut. Experience sharpens intuition. If your staff suspects a breach, investigate it immediately. Waiting days to convene a committee or “run it up the corporate flagpole” can waste precious time.
- Pull the plug. If you suspect a computer breach, immediately sever the compromised computer’s access to the Internet and to your network. To assess the impact, ask your IT staff to preserve any available network logs, file transfer logs, system logs, and access reports. Investigate if intruders opened files or placed new programs on your computer. Did they release viruses or other malware? By diagnosing the damage and retracing the fraudsters’ steps, you can help your company shore up unanticipated vulnerabilities.
- Making contact. Consider whom to inform in the event of an incident, both inside and outside your company. You may need to notify consumers, law enforcement agencies, customers, credit bureaus, and other businesses that may be affected by the breach. In addition, about 40 states have laws addressing data breaches. Have that information on file before you need it.
For more information, read Protecting Personal Information: A Guide for Business.
Lesley Fair is an attorney in the FTC’s Bureau of Consumer Protection who specializes in business compliance.
Protecting Personal Information: Five Steps for Business
May 24, 2010
by Lesley Fair
What’s in your file cabinet right now? Tax records? Payroll information? And what’s on your computer system? Financial data from your suppliers? Credit card numbers from your customers? To a busy marketer, those documents are an everyday part of doing business. But in the hands of an identity thief, they’re tools for draining bank accounts, opening bogus lines of credit, and going on the shopping spree of a lifetime — at the expense of your company, your employees, and the customers who trust you.
Sophisticated hack attacks make the headlines, but many security breaches could be prevented by commonsense measures that cost companies next to nothing. That’s why the Federal Trade Commission (FTC) has published Protecting Personal Information: A Guide for Business, a plain-language handbook with practical tips on securing sensitive data. The specifics depend on the size of your company and the kind of information you have, but the basic principles remain the same. Whether you work for a multinational powerhouse with branches around the world or a start-up based in a home office, a sound information security plan is built on these five key practices:
- Take stock. Know what personal information you have in your files and on your computer. Understand how personal information moves into, through, and out of your business and who has access — or could have access to it.
- Scale down. Keep only what you need for your business. That old business practice of holding on to every scrap of paper is “so 20th century.” These days, if you don’t have a legitimate business reason to have sensitive information in your files or on your computer, don’t keep it.
- Lock it. Protect the information you keep. Be cognizant of physical security, electronic security, employee training, and the practices of your contractors and affiliates.
- Pitch it. Properly dispose of what you no longer need. Make sure papers containing personal information are shredded, burned, or pulverized so they can’t be reconstructed by an identity thief.
- Plan ahead. Draft a plan to respond to security incidents. Designate a senior member of your team to create an action plan before a breach happens.
Get your copy of Protecting Personal Information: A Guide for Business at www.ftc.gov/infosecurity. While you’re there, download copies for your IT manager, your human resources department, your sales staff, and anyone else who comes in contact with customer or employee information.
Lesley Fair is an attorney in the FTC’s Bureau of Consumer Protection who specializes in business compliance.
