December 30, 2014
Best Practices for Managing Confidential Client and Customer Information Detecting and Managing System Failures:
Effective security management requires your company to deter, detect, and defend against security breaches. That means taking reasonable steps to prevent attacks, quickly diagnosing a security incident, and having a plan in place for responding effectively. Consider implementing the following procedures:
• Monitoring the websites of your software vendors and reading relevant industry publications for news about emerging threats and available defenses.
• Maintaining up-to-date and appropriate programs and controls to prevent unauthorized access to customer information. Be sure to:
- Check with software vendors regularly to get and install patches that resolve software vulnerabilities;
- Use anti-virus and anti-spyware software that updates automatically;
- Maintain up-to-date firewalls, particularly if you use a broadband Internet connection or allow employees to connect to your network from home or other off-site locations;
- Regularly ensure that ports not used for your business are closed; and
- Promptly pass along information and instructions to employees regarding any new security risks or possible breaches.
- Using appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information. It’s wise to:
- Keep logs of activity on your network and monitor them for signs of unauthorized access to customer information;
- Use an up-to-date intrusion detection system to alert you of attacks;
- Monitor both in- and out-bound transfers of information for indications of a compromise, such as unexpectedly large amounts of data being transmitted from your system to an unknown user; and
- Insert a dummy account into each of your customer lists and monitor the account to detect any unauthorized contacts or charges.
• Taking steps to preserve the security, confidentiality, and integrity of customer information in the event of a breach. If a breach occurs:
- Take immediate action to secure any information that has or may have been compromised. For example, if a computer connected to the Internet is compromised, disconnect the computer from the Internet;
- Preserve and review files or programs that may reveal how the breach occurred; and
- If feasible and appropriate, bring in security professionals to help assess the breach as soon as possible.
Considering notifying consumers, law enforcement, and/or businesses in the event of a security breach. For example:
- Notify consumers if their personal information is subject to a breach that poses a significant risk of identity theft or related harm;
- Notify law enforcement if the breach may involve criminal activity or there is evidence that the breach has resulted in identity theft or related harm;
- Notify the credit bureaus and other businesses that may be affected by the breach. See Information Compromise and the Risk of Identity Theft: Guidance for Your Business at www.ftc.gov/bcp/edu/pubs/business/idtheft/bus59.htm; and
- Check to see if breach notification is required under applicable state law.