Attention to Detail and Diligence are Critical When Dealing with Cyber Security

If the data breaches of the last couple of years are any indication, cyber security and data breaches will continue to make headlines. Most data security breaches are the result of an oversight somewhere in the system. Companies large and small are being hacked due to vulnerabilities in their computer systems that are identified and exploited by hackers. Companies need to follow cyber security best practices to protect themselves and their customers’ personal information. They need to give cyber security the time and resources necessary to rebuff cyber attacks and to neutralize cyber threats or face growing liability.

Since the area of cybersecurity is constantly changing and evolving, cybersecurity needs to be regularly evaluated to determine whether particular security measures are effectively addressing threats and risks. Only through diligent and consistent efforts can businesses rise to the challenge posed by hackers invading their computer systems.

Cyber Security Best Practices

One of the biggest risks to a cyber security system is the people who have access to the system. Employees and IT professionals who are not diligent in practicing cyber security best practices expose businesses to significant risk. A few cyber security best practices that those with system access can use to protect and promote security include:

• Develop well-defined and clear cyber security policies and protocols.
• Use multi-factor authentication for system log ins.
• Implement strong password control.
• Require passwords be changed periodically.
• Place restrictions on how many characters passwords can be and what characters can be used.
• Install and use firewall protections.
• Update security software, operating systems, and web browsers regularly.
• Run regular antivirus scanning software.
• Have a response plan in place for when an intrusion is detected.
• Backup computer systems regularly.
• Only grant access to employees based on their level of need for access.
• Limit employees’ ability to install software.
• Grant IT privileges to fully vetted and trusted information technology professionals.
• Regularly schedule employee training programs that address cyber security best practices.
• Monitor the cyber security practices of third parties who have access to the system.
• Insist that third parties follow the same security measures as employees.

In today’s world data security breaches are regular occurrences. Almost everyone has been a victim of a cyber attack at some point in their lives, or will be at some point in the future. Hackers usually target businesses and databases because they can gain access to a wealth of customer personal information if a hack is successful.

Why Cybersecurity Best Practices Have Legal Force

Following cybersecurity best practices is not merely a technical recommendation — it is a legal obligation. The FTC, state attorneys general, sector regulators, and courts evaluate whether a business took “reasonable” security measures in the context of the data it holds and the known risks. The security practices listed above represent what regulators and courts have identified as baseline reasonable measures. A business that ignores them faces both regulatory enforcement exposure and civil litigation liability when a breach occurs.

The FTC’s Reasonable Security Standard

The Federal Trade Commission enforces data security obligations against companies that handle consumer data under its Section 5 authority over unfair trade practices, 15 U.S.C. § 45. The FTC does not impose a specific technical standard — it applies a “reasonableness” standard based on the sensitivity of the data held, the size of the company, and the cost of available safeguards relative to the risk they reduce.

In FTC enforcement actions, the Commission has consistently found the following failures to be unreasonable: not patching known software vulnerabilities promptly, storing sensitive data in cleartext rather than encrypted form, failing to implement multi-factor authentication for privileged access, failing to provide employee security training, failing to conduct risk assessments, and failing to have any incident response plan. These failures map directly to the best practices listed above. A business that can document consistent compliance with these practices is far better positioned to defend against FTC scrutiny after a breach.

NIST Cybersecurity Framework

The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) provides a structured approach to cybersecurity risk management that is widely accepted as a baseline standard across industries. The NIST CSF organizes cybersecurity activities into five core functions: Identify, Protect, Detect, Respond, and Recover. While the NIST CSF is not legally mandatory for private businesses, its adoption is increasingly treated by regulators and courts as evidence of reasonable security practices. Many state cybersecurity regulations — including New York’s 23 NYCRR Part 500 — explicitly reference NIST standards as guidance for compliance.

Businesses that align their security programs with the NIST CSF and document that alignment create a contemporaneous record of their security posture that can be invaluable in defending against regulatory investigations and civil litigation after a breach. The documentation demonstrates that security was treated as an ongoing management function rather than an afterthought.

Employee Training as a Legal Safeguard

Employee training is among the most legally significant cybersecurity best practices because employee error is the entry point for the majority of successful breaches. Phishing attacks, accidental disclosure of credentials, misconfigured cloud storage, and improper disposal of physical records are all primarily human errors that can be substantially reduced through regular, well-designed security awareness training.

Courts and regulators have treated the absence of employee security training as significant evidence of negligent security practices. In the FTC’s enforcement action against Wyndham Worldwide, the failure to train employees adequately on security policies was one of the factors the FTC cited in alleging that Wyndham’s security practices were unreasonable. Conversely, a business that conducts regular phishing simulation exercises and security awareness training — and maintains records documenting those exercises — is far better positioned to argue that it exercised reasonable care even if a breach ultimately occurs.

Third-Party Vendor Security: A Critical Gap

Many businesses focus their cybersecurity investments on their own internal systems while paying insufficient attention to the security practices of third-party vendors who have access to their data. This is a significant legal gap. Courts and regulators hold businesses responsible for breaches caused by vendor failures when the business failed to adequately vet its vendors’ security practices, failed to include adequate security requirements in vendor contracts, or failed to monitor vendors’ ongoing compliance with those requirements.

A legally defensible vendor security program includes: written due diligence questionnaires completed by vendors before engagement, contractual security requirements that specify the safeguards the vendor must maintain for the data it handles, right-to-audit provisions that allow the business to verify vendor compliance, and breach notification requirements that obligate the vendor to notify the business promptly if a security incident affects the business’s data. These contractual provisions do not eliminate vendor risk, but they establish legal accountability and create a basis for indemnification claims when a vendor breach causes harm to the business’s customers.

Talk to a Data Breach Lawyer

The landscape surrounding cyber security is constantly in flux. New threats emerge each and every day and security experts are constantly developing new solutions and techniques for businesses to protect their data. If you have concerns about your exposure or have suffered a data security breach, contact the experienced data breach attorneys at Revision Legal. There are certain things you must do in a timely fashion when you learn that you have been hacked, and civil fines exist in some states for a failure to expeditiously notify those affected by breaches. Contact us using the form on this page or call us at 855-473-8474.