Security is one of the defining internet issues of this decade. While there is not one distinct body of law that governs a company’s rights and responsibilities, there are methods to prioritize compliance efforts. This issue is relatively unique to the internet space since the laws and regulations that apply come from many different areas. In recent years the Federal Trade Commission (FTC) has taken an increasingly prominent role in responding to these problems. In addition, almost every state has some sort of law that at least requires reporting of unauthorized disclosure of information. Indeed many state laws, particularly Massachusetts and California, go substantially beyond simple breach disclosure and mitigation.
While many agencies, such as the SEC, have regulations that address security issues in the industries they regulate, the FTC is the agency primarily tasked with addressing internet security issues. The FTC has the authority to prosecute companies and individuals who engage in deceptive trade practices. The best way to determine the enforcement priorities of the FTC is to look at recent enforcement actions. These actions have focused on the “locked door” problem: Many companies focus on the number of locks they’ve placed on the door to data, as opposed to making sure these doors do not become unlocked over time.
Sloppy security practices are an issue that the FTC has said is simply screaming for regulatory and enforcement activity.
Time and time again, the FTC has stated that companies must have procedures in place to ensure that their businesses are secure, to detect security vulnerabilities, and inform customers and, if necessary, regulators, when unauthorized disclosures are discovered. To avoid FTC action, internet businesses need to shift some of their security thinking and strategy from high profile areas to basic security and process control schemes. This could involve redeploying resources from traditional security screening measures (such as trying to breach firewalls) to creating change control processes, training staff on quality control and ensuring that vendors actually meet the security standards you need — and that they profess to have.
It is a bit trickier to generalize about state security statutes. That said, most state laws have relatively similar goals to their federal counterparts. As an initial matter you should ensure that your entire “ecosystem” has the same, or similar, breach definitions. Doing so avoids gaps that lead to misinformation and failure to comply with breach definitions set out in your state laws. A second component of general compliance is to create both internal and external notification plans. Your internal plan should create a system where both employees and vendors are alerted to a possible breach. External plans should contain at a minimum a statement of what is known about the breach, mitigation efforts, a contact point, and future steps you are taking regarding the breach. You should identify which information will be excluded from these notification efforts because of confidentiality or other restrictions.
A final component of a state compliance plan is to anticipate how you will fold in state regulators and law enforcement entities. At a minimum, these will be agencies in the state in which you are located, but may, in some instances, include regulatory agencies in other states. It is important not to play hide-the-ball and simply fail to provide the regulatory and law enforcement notifications required by law. In making these notifications, you should involve your attorney to determine how much information you are required to disclose, and methods of protecting your company from litigation.
For More Information
For more legal information you can visit my site:
David Snead’s Home Page
To learn more about PCI Compliance, Host Merchant Services offers these resources:
Disclaimer: Legal decisions must be made based on your unique situation. Please consult with an attorney prior to making decisions based on this post.