Page 27 - SMRH Eye on Privacy 2019 Year in Review Brochure
P. 27

DATA SECURITY
FTC and Software Company Reach Security Settlement Over Unfair Practices Posted on November 20, 2019
The FTC recently settled with Infotrax Systems, L.C. a technology company providing software to the direct sales industry. The settlement followed a breach suffered by the company, and involved allegations the company had failed to use reasonable security. According to the FTC, for almost two years, a hacker accessed InfroTrax’s server unnoticed at least seventeen times. The data accessed included social security numbers and payment card information. It also included unencrypted user IDs and passwords. Infotrax learned of the incident from an alert that one of its servers had reached maximum storage capacity.
The FTC alleged that the company had failed to use reasonable, low-cost and readily available security practices. Some of the security missteps included failure to conduct code review of its software and adequately segment its network. FTC also noted a failure to delete personal information no longer needed. These failures, the FTC argued, led directly to a breach the company suffered which resulted in at least 280 reports of alleged fraud being suffered by impacted individuals. The company has, mirroring other FTC settlements, agreed to submit to 20 years’ worth of third-party audits and other certifications. These include testing and monitoring safeguards, only using vendors who can protect information, and contractually binding vendors to protect information.
PUTTING IT INTO PRACTICE: this settlement provides insight into the FTC’s view of “reasonable” security practices, and the steps it believes companies should take to protect information. This includes regular testing and monitoring, and working with vendors who can provide appropriate information protection.
PCISA Releases “Cyber Essentials” to Assist Small Businesses
Posted on November 12, 2019
The Department of Homeland Security Cybersecurity & Infrastructure Security Agency recently released its Cyber Essentials guide. Consistent with the NIST Cybersecurity Framework, these Cyber Essentials provide “a starting point to cyber readiness,” and are specifically aimed at small businesses and local government agencies that may have fewer resources to dedicate to cybersecurity. The guide suggests a holistic approach for managing cyber risks, and is broken down into six “Essential Elements of a Culture of Cyber Readiness:” (1) Yourself; (2) Your Staff; (3) Your Systems; (4) Your Surroundings; (5) Your Data; and (6) Your Actions Under Stress. The final section of the guide provides a list of steps that can be taken immediately to increase organizational preparedness against cyber risks. These include backing up data, implementing multi-factor authentication, enabling automatic updates, and deploying patches quickly.
CISA’s Cyber Essentials guide is just the latest government resource for small businesses on cybersecurity. The U.S. Small Business Administration has a page dedicated to providing information and resources for small business cybersecurity. Also, the National Institute of Standards and Technology, the Federal Trade Commission, and the Federal Communications Commission provide cybersecurity resources specifically tailored to small businesses.
PUTTING IT INTO PRACTICE: Companies can look to CISA’s Cyber Essentials guide and other government resources to take basic steps to improve their cybersecurity resilience.
      Eye on Privacy 2019 Year in Review 26
























































































   25   26   27   28   29