Best Practices For Implementing Internal Security Controls

Contributed by Kristin A. Biedinger

Many security risks can be avoided or mitigated by implementing sufficient internal security controls which are tailored to the organization’s size, needs, and specific industry.   The Federal Trade Commission (“FTC”) sets forth best practices for implementing internal security controls which includes avoiding unreasonable risk.  Although avoiding unreasonable risk sounds like obvious advice, companies often fail to recognize ways such risk can be avoided.  This article provides practical advice that companies can use when implementing internal security controls to ensure unreasonable risk is avoided.

First, companies must limit what personally identifiable or other protected information is being collected.  Such information should only be collected when there is a legitimate business need for it and only to the extent necessary.  For example, in the case of United States of America v. RockYou, Inc., RockYou collected and stored email addresses and passwords although these emails and passwords were not needed tp provide services to RockYou’s customers.  RockYou also stored the passwords in clear text.  RockYou’s collection and storage of email addresses and passwords, without a legitimate business need for such information, was found by the FTC to create unreasonable risk with respect to this information and fined $250,000.  In an age of “big data,” this case highlights the importance for companies to only collect that information which is actually needed to provide its services.

Second, companies must ensure that any personally identifiable or other protected information this is collected, and is necessary in providing the company’s services, is stored for only as long as the information is actually needed.  In the case of In the Matter of BJ’s Wholesale Club, Inc. the organization stored credit and debit card information that was used to complete in-store transactions for up to thirty days even though there was no legitimate need to keep this information for so long after the transaction was completed.  Storing this information after the transaction was complete, with no legitimate business reason, was found create unreasonable risk with respect to the credit and debit card information.  As part of its settlement with the FTC, BJ Wholesale agreed to submit to third party audits for a period of twenty years.  This case highlights the fact that companies cannot store personally identifiable or other protected information of its customers forever.  There must be mechanisms in place that will routinely audit the information that is stored and delete any information that is no longer needed.

Third, companies must limit the use of personally identifiable and other protected information to only those situations when it is actually necessary.  For example, in the case of In the Matter of foru International Corporation, the company gave developers access to real customer data during application development and in In the Matter of Accretive Health, Inc., the company used real personally identifiable information during in-house trainings.  In both cases, the FTC found that the companies used personal information when it was not necessary.

Companies must carefully consider ways in which unreasonable risk can be avoided.  A well drafted internal control plan that addresses these issues can significantly reduce security risks.

For additional information, please contact Kristin Biedinger.