FTC's Advice on Data Security
- Written by Michael L. Starzec
In May 2019, the song “Every Breath You Take” by the Police was recognized by BMI to be the most played song in radio history, played 15 million times. Although some have thought it a romantic ballad, Sting himself felt the song was “sinister” so much so that in 1988 a sociologist found it “nicely captures elements of the new surveillance.” He was referring to ankle monitors. Now, that’s not even a blip on the technology radar.
While 15 million plays is very impressive, it’s nothing compared to the number of people exposed to the even more sinister type of surveillance – that of cyber-thieves. For example, in 2014, 3 billion Yahoo users, 500 million Marriot customers and 412 million users of Adult Friend Finder, all had personal data stolen. (Though for “Friend Finder” there was likely more blackmail than identity theft.) For us, the risks are significantly higher as a single data breach can ruin your firm. But there are best practices. In 2015, as a result of over 50 legal actions against companies involved in data breaches, the FTC published some lessons we can learn:
Be a Minimalist
The FTC has a simple formula: Don’t collect information you do not need and if you do need it, hold it only as long as there is a legitimate need. For example, one retailer collected payment data at the point of sale. However, once the sale was consummated and transaction complete, it continued to retain it for 30 days. As you can guess, in that small window, hackers stole the data.
While outside attacks are most common, it is just as important to limit access internally. When choosing what data to retain, determine who actually needs access. Put differently, almost no one needs access to everything. While seemingly trite, it was news to Twitter. Yes, that Twitter, used for inopportune mental meanderings of politicians and celebrities. The FTC found Twitter actually allowed nearly all of its employees to have administrator rights, a situation that was exploited. Likewise, where your data is physical or later becomes physical through transmission or printing, limit who can send or print documents.
Be a Joiner
When it comes to security, don’t do it yourself. While it may seem counter-intuitive, going alone or with a lesser-known vendor may actually increase your danger. According to the FTC, the more widely known encryption processes are extensively tested against an array of cyber-security challenges. Proprietary or newer processes likely have not been tested as strenuously and may have easily exploited flaws, as the FTC found in its action against ValueClick. While bigger may not always be better, following the crowd is the better bet in cyber-security.
Be a Divider
Not every computer in your network needs to communicate with every other computer because it is in linked network portals where hackers begin their access. And, even if you segment your computers, further subdivide your database so that secured data is additionally segmented from network access, thereby requiring several layers of hacking to gain access. Even with that structure in place, ensure you monitor your network for suspicious activity. For example, one company without such monitors allowed a hacker to log in and install programs that collected that data for retrieval every few days. Easy money indeed.
Trust but Verify
For us, FDCPA compliance policy and procedures are taught as gospel. It should be no different with data security. Ensure your e-security protocols are written, updated and made mandatory. Moreover, because there is vicarious liability for data breaches caused by your vendors, mandate they comply with your firm’s security expectations and then audit them to that practice. In addition, do not limit your testing to FDCPA and FCRA. At our firm, our IT department not only educates on cyber security, we test on it. For example, fake emails with the sort of links hackers use are sent to staff to see if they can resist the urge to click and report the attempt. If they do, we give out a toy fish.
With so many areas of concern, Luddite attorneys like us may simply hope that our security is sufficient. But in a world where a single hacker using Starbucks’ Wi-Fi may have hacked a bank, data security is no different than malpractice insurance. As a solo artist, former Police singer and bassist, Sting, bemoaned walls in “Fortress Around Your Heart.” He’s less gloomy about a fortress around his hard drive.
Michael L. Starzec is a partner with Blitt and Gaines, P.C and is vicepresident of the Illinois Creditors Bar. He is a frequent speaker, writer and litigator on creditor’s rights.