Taking learnings from 50+ security settlements, the Federal Trade Commission [FTC] prepared a security guide for business. The guide is called Start with Security: A Guide for Business.
Some of the tips are things you probably have heard before, but some are unique and other bear repeating. Uniquely the FTC tips suggest limiting information collected, used, and retained. We often hear about how to protect information, but not getting and keeping information. Here are excerpts from the Start with Security Guide.
- Don’t collect personal information you don’t need.
Here’s a foundational principle to inform your initial decision-making: No one can steal what you don’t have. When does your company ask people for sensitive information? Perhaps when they’re registering online or setting up a new account. When was the last time you looked at that process to make sure you really need everything you ask for? That’s the lesson to learn from a number of FTC cases. For example, the FTC’s complaint against RockYou charged that the company collected lots of information during the site registration process, including the user’s email address and email password. By collecting email passwords – not something the business needed – and then storing them in clear text, the FTC said the company created an unnecessary risk to people’s email accounts. The business could have avoided that risk simply by not collecting sensitive information in the first place.
- Hold on to information only as long as you have a legitimate business need.
Sometimes it’s necessary to collect personal data as part of a transaction. But once the deal is done, it may be unwise to keep it. In the FTC’s BJ’s Wholesale Club case, the company collected customers’ credit and debit card information to process transactions in its retail stores. But according to the complaint, it continued to store that data for up to 30 days – long after the sale was complete. Not only did that violate bank rules, but by holding on to the information without a legitimate business need, the FTC said BJ’s Wholesale Club created an unreasonable risk. By exploiting other weaknesses in the company’s security practices, hackers stole the account data and used it to make counterfeit credit and debit cards. The business could have limited its risk by securely disposing of the financial information once it no longer had a legitimate need for it.
- Don’t use personal information when it’s not necessary.
You wouldn’t juggle with a Ming vase. Nor should businesses use personal information in contexts that create unnecessary risks. In the Accretive case, the FTC alleged that the company used real people’s personal information in employee training sessions, and then failed to remove the information from employees’ computers after the sessions were over. Similarly, in foru International, the FTC charged that the company gave access to sensitive consumer data to service providers who were developing applications for the company. In both cases, the risk could have been avoided by using fictitious information for training or development purposes.
Some good advice and not something often discussed in the data security realm. Here is a list of how to implement the advice:
- Take a look at your intake and other forms. Is there information requested or listed that is not needed.
- Develop document retention program that incorporates electronic data. Paper file retention tends to be securitized more, because of physical space considerations. However, evaluating electronic file retention can reduce vulnerabilities and risks associated with information security.
- When sharing information with and obtaining information from other entities and Business Associates, limit the information to the need to know information.
Read about how the Cost of Defending against a FTC HIPAA Violations Claim Leads to Entity’s Demise –Click here or visit: http://wp.me/p4bsis-153
Sound odd to get health care privacy and security tips from the FTC? It is not odd. While the U.S. Department of Health and Services [HHS] Office for Civil Right [OCR] is charged with enforcement of HIPAA, OCR share enforcement rights with state attorney generals and the FTC. The FTC proclaims concurrent enforcement rights. And, the FTC has been active in such cases as the CVS and Rite Aid disposal violations and the LabMD.