TrustArc Blog

Make Data Privacy & Security Your New Year’s Resolution

January 09, 2014

Heather M. Federman
Director of Public Policy, Online Trust Alliance
@HFeds

Make data privacy & security your 2014 resolution 

Join TRUSTe at the OTA’s Data Privacy Day Town Halls in NYC, Seattle and San Francisco & Save 20%

It’s no longer an “if” your company will become the target of a data breach; it’s just a matter of “when.”  From small nonprofits to Fortune 500 tech-savvy organizations, breaches and data loss incidents are becoming an unfortunate rite of passage. More and more businesses have found themselves exposed and ill prepared to manage the fallout.  In addition to the confusing (and conflicting) regulatory landscape, breaches can be quite expensive, with the average cost equaling $5.5 million. And while innovative defenses against privacy and security threats are introduced with each passing year, cybercriminals outpace those innovations with new and more malicious tactics.

As online trust is on the decline, 2014 needs to be the year of “Data & Privacy Stewardship.” This requires moving from minimal compliance to enhancing the protection of your company, your data and your customers. In order to do so, consider the following New Year “data resolutions”:

1. Make sure your data practices are up to snuff

Be it a corporate network, data center, laptop or mobile device, companies must protect their data no matter where it resides. The businesses that come into possession of nonpublic personal info should continually re-valuate their own data security programs. Make sure that your privacy policy statement reflects your current data collection and sharing practices, including the use of third-party advertisers, analytics and service providers. Review notification, collection, use and sharing practices; do this on a periodic basis and as new products, services and partnerships are developed.

2. Implement the leading best practices to protect your data and consumers

The definition of “privacy” and the composition of Personally Identifiable Information (PII) continue to evolve. Applying last year’s rule may no longer be applicable. And as the dependency on outsourcing data becomes more popular, companies are increasingly sharing data that is highly confidential. While these outside parties must use this data to provide relevant services, both the business and outside party could face significant financial and reputational harm due to a data loss incident.

However, upwards of 93 to 97% of all breaches could have been avoided if simple controls and security best practices were implemented. This is not only due to accidental physical loss, but also from an ever-increasing level of deceptive tactics. Based on the rising number of social engineering exploits and data snooping via unencrypted transmissions, make sure to implement best practices such as email authentication, SSL, password management, encryption and hardening of client devices.

Ultimately, it is no longer optional to have adequate controls in place when implementing data and infrastructure practices. The businesses that focus on privacy, security and brand protection in a holistic manner are the ones best equipped to protect their brand from a significant incident.

3. Ensure your response plan passes the test, by regulators and consumers

The “business shock” of a data breach will not only paralyze operations, but it will also damage relationships with regulators, partners and consumers. Inaccurate reporting and inadequate security-privacy practices foster grave consequences.  Without an incident response plan, the inevitable breach will harm a company’s brand, increase liability exposure and engender a negative impression on your company’s bottom line.

A Data Incident Plan (DIP) is a playbook describing the breach fundamentals you can deploy on a moment’s notice. A good DIP will integrate your company’s collection, retention and deletion policies. Organizations must be able to quickly determine the nature of an incident, immediately contain it, ensure that forensics evidence is not accidentally ruined, and subsequently notify regulators. The scope of an organization’s plan should include: data classification, validating employees’ access to that data, an inventory of system access and credentials, retaining forensic analysts and cyber insurance, and implementing data loss prevention technologies. The organization should also have an impact assessment regarding the loss of reputation, compliance, intellectual property and business continuity.

Once developed, communicate the DIP to all relevant parties to ensure an effective 24/7 incident response capability. A well-documented project plan is only as good as the training and readiness of the incident team.

4. Register for the OTA’s 2014 Data Privacy Day program

Whether you are new to privacy and security or need to update your DIP, the regulatory landscape is rapidly changing. Be prepared by joining TRUSTe at the Online Trust Alliance’s (OTA) Data Privacy Day Town Halls hosted in New York City, San Francisco and/or Seattle. Register by January 20th and save 20% (use the code TRUSTe20).

Now in its 4th year, these Town Hall programs are your opportunity to learn and network with leaders in data privacy, security, and breach readiness. Make privacy and protection part of your brand’s value while getting updated on the evolving regulatory landscape.

Attend the morning’s networking breakfast and series of engaging panel discussions. Connect 1-1 with the FTC, Secret Service, FBI, State AGs and others discussing the latest in security, privacy and data protection best practices. Attend the afternoon Breach Readiness Planning workshop to learn the fundamentals of response plans. From forensics to customer communications and working with law enforcement, these are the key steps that all businesses need to take when dealing with a data loss incident.

For more info and to register, go to: www.otalliance.org/news/dataprivacyday
Note: these events are eligible for IAPP CPE and CLE credits.

Let’s make 2014 the year of Data & Privacy Stewardship. Wishing you a happy, healthy and secure new year – we’ll see you at OTA’s Data Privacy Town Hall!

Heather M. Federman is responsible for framing public policy positions reflecting OTA’s mission of enhancing online trust, innovation and self-regulation. In this role she co-chairs the OTA Public Policy and Legislation committee and manages OTA’s relationship with members of Congress and related organizations. Prior to OTA, Heather was the legal & policy fellow for the Future of Privacy Forum where she worked on a variety of issues, including mobile apps, location tracking, digital advertising and children’s privacy.