Data Security Program
The Federal Trade Commission (FTC) settled its investigation regarding the massive Ashley Madison data breach that occurred last year. One of the more interesting parts of the settlement is the mandated data security program. The FTC and Ashley Madison agreed that Ashley Madison would implement a comprehensive data security program to prevent future data breaches. The program provides a template for larger organizations to view in operating their own data security programs.
The mandated data security program includes the following features:
(1) The company must have someone at the helm of the program. This might seem intuitive to some, but many companies do not actually have a designated employee or group of employees that are responsible for company data security. I believe that most small to mid size companies do not even think about the issue until hit with a data breach event.
(2) The company should do a risk assessment. In the Ashley Madison case, the parties agreed to biennial risk assessments by qualified, third party risk assessors. Risk assessments by qualified third parties are essential to a company staying on top of its data security program. I personally think biennial assessments are too spread out because of the constantly and rapidly evolving security risks. Annual risk assessments would be more prudent in my opinion. Risk assessments should be done by third parties because internal audits often have "blinders" on when it comes to certain aspects of their data risks. It is better to have a third party come in and take a look.
(3) The company should develop and implement safeguards to minimize the risks and conduct regular testing or monitoring of those safeguards. This is a logical requirement in view of the risk assessment requirement. When the risk assessment identifies problem areas, the company should work to develop a solution to minimize the risk of data breach. According to the settlement, Ashley Madison is required to implement "reasonable" safeguards, so at least with the FTC, it appears that there is a recognition that there is a risk-benefit analysis inherent in determining the best approach to minimize data risks.
(4) The company should contract with its service provides to ensure that they are also required to safeguard personal information. I have always thought that this is a good idea, but difficult to implement. Every company has its own ideas about data security and what is reasonable in that area. It is sometimes difficult to really force a third party to safeguard data through a contractual provision.
(5) Constant evaluation and adjustment of the data security as needed. This requirement goes without saying.
If you are seeking guidance or counsel on implementing a data security program or handling a data breach, feel free to contact Harmony Law. We may be able to help you resolve the situation.