The Cybersecurity Unit of the U.S. Department of Justice recently released its “Best Practices for Victim Response and Reporting of Cyber Incidents,” a report meant to help companies prepare for cyber incidents and know what steps to follow one occurs. This practical guide is a primer for retailers and e-commerce companies and sets forth preventative steps to minimize the possibility of a company experiencing a data breach.
This guide is the first step toward a national policy for Internet retailers to follow in order to improve privacy and security that protects consumers and safeguard their data. These best practices should be considered a starting point for every Internet retailer, large and small, to get a conversation going internally. Not every potential security breach is preventable, but this four-step plan can help retailers take practical steps to reduce their risks with a logical response plan in place when security breaches do occur.
The Department of Justice’s Four-Step Primer for Internet Retailers:
- Identify the problem:Instituting your cyber security policy begins with identifying what information needs to be protected. The basic steps are:
- 1. Inventory your data
- 2. Categorize your data (personal data comprised of both customer and employee data, confidential information that you hold under contracts with business clients, trade secrets and other types of intellectual property of your company)
- 3. Map the flow of your data to determine how it is collected and how it’s used
- 4. Review the security protections in placefor each category of data and identify areas of vulnerability and controls you can put in place to mitigate the risk of that data being compromised
- Create a plan: Next, you need to have an actionable written plan in place that is tested on a regular basis. No plan is perfect, but when something happens it is comforting to have pre-assigned roles and responsibilities. Do customers need to be contacted and if so, by whom? What should the notice contain? Is there a timeline?
- Institute safeguards: Make sure you have reasonable safeguards in place to protect those crown jewels. These safeguards should be commensurate with the size and complexity of your organization. Joe’s corner hardware store will have very different cyber security needs and capabilities than a publicly-traded, multinational brand. Employee privacy awareness training should be a part of those safeguards.
- Legal strategy: Finally, make sure you have competent and experienced outside counsel familiar with cyber incident management on the ready. Calling your insurance agent at 3:00 AM for legal advice is never a good idea.
When an incident happens — notice I didn’t say ‘if’ — you need to mobilize and turn to your tested incident response plan. The DOJ’s guidance signals the need to make an initial assessment of the event, determining the nature and scope of the incident.
This critical point is important. There are many cases where companies panic, reacting without first knowing the facts, often making disastrous decisions that cause consumer panic and regulatory frustration. Having a sound procedure for cyber incidents prevents this from happening. Once you do an assessment, you can take measures to minimize the breach and shut down the bad guys. It’s also a good idea to make sure you keep written records and logs of your investigation, in case you have statutory data breach notification obligations under different state laws.
This DOJs guide is a significant first step and national policy initiatives to improve privacy and security are flowing from the government, though it’s regrettable that this needs to be the case. While we can’t prevent every potential security breach, retailers should take practical steps to reduce the risk of them happening and have a logical response plan in place when they do. The DOJ’s guidance is a great roadmap for just that.
Ghostery provides online privacy technology and services for businesses and consumers.
Favorite