The Federal Trade Commission (“FCC”) recently issued its final rule with respect to new cybersecurity protocols. See here. The Rule is called “Standards for Safeguarding Customer Information” and is applicable to financial and related institutions.
The FCC’s amended Safeguard Rule is a very good and useful example of the current standards required by governmental agencies with respect to the security required for protecting consumer personal data and information. Whether your business involves financial transactions or not, it would be wise to proactively compare your current cybersecurity protocols and procedures with those in the FCC’s updated Safeguard Rule. If the comparison discloses significant divergences, it would also be wise to consider implementing new protocols and procedures.
Key features of the updated Safeguard Rule include:
- Encryption of data when “at rest” (stored) and when used or transferred through BOTH internal networks and over to external networks — in other words, data can be at risk whether moving or not
- Multi-factor authentication, particularly for external access — currently, two-factor authentication is the standard, but three-factor or more may become the standard
- Secure and unreconstructable destruction/disposal of data
- Separation and disaggregation of data sets
- Higher levels of security for –
- Data sets that contain the most sensitive data or for data sets that can be combined or reconstructed to reveal the most sensitive data
- Data or systems that, if breached or compromised, would materially affect business functionality and/or the confidentiality, integrity or availability of sensitive data
- Delegation to one or more persons — who are specifically qualified –
- To implement cybersecurity
- To oversee risk assessments (including written reports)
- To quickly and effectively respond to risk threats and breaches
- To begin and complete remediation and recovery efforts
- To be a “point person” for consumer and governmental inquiries and
- To provide continual and periodic reporting to corporate governing bodies (like the Board)
- Preparation of written risk assessment reports with such reports being inputs into the design of subsequent procedures and protocols
- Continuous monitoring
- Periodic penetration testing
- Ongoing vulnerability assessments
- Appropriate training for personnel at all levels
- Limiting access
- Application of appropriate security protocols for third-party service providers
- Contractual requirements related to said third-party service providers
- Requiring written incident reports including details on response and recovery
Although not included in the FCC’s updated Safeguard Rule, it should be noted that businesses affected by cybersecurity breaches have many reporting requirements imposed at both the federal and state levels. Most of those breach notification laws require notification when there is an actual breach of computer systems or unauthorized access that results in actual loss or potential loss of data. However, businesses should be aware that notification laws and regulations are being broadened to require notification of more generalized cybersecurity incidents. Given the increasing number of malware and ransomware attacks that have shut down companies, impacted specific industries and caused generalized disruption of the larger economy, legislators and regulators are quickly beginning to focus on cybersecurity as an economic security concern, not just a consumer data privacy issue.
If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.