Best Practices for Managing Confidential Client and Customer Information Detecting and Managing System Failures:

Effective security management requires your company to deter, detect, and defend against security breaches. That means taking reasonable steps to prevent attacks, quickly diagnosing a security incident, and having a plan in place for responding effectively. Consider implementing the following procedures:

• Monitoring the websites of your software vendors and reading relevant industry publications for news about emerging threats and available defenses.

• Maintaining up-to-date and appropriate programs and controls to prevent unauthorized access to customer information. Be sure to:

1. Check with software vendors regularly to get and install patches that resolve software vulnerabilities;
2. Use anti-virus and anti-spyware software that updates automatically;
3. Maintain up-to-date firewalls, particularly if you use a broadband Internet connection or allow employees to connect to your network from home or other off-site locations;
4. Regularly ensure that ports not used for your business are closed; and
5. Promptly pass along information and instructions to employees regarding any new security risks or possible breaches.
6. Using appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information. It’s wise to:
7. Keep logs of activity on your network and monitor them for signs of unauthorized access to customer information;
8. Use an up-to-date intrusion detection system to alert you of attacks;
9. Monitor both in- and out-bound transfers of information for indications of a compromise, such as unexpectedly large amounts of data being transmitted from your system to an unknown user; and
10. Insert a dummy account into each of your customer lists and monitor the account to detect any unauthorized contacts or charges.

• Taking steps to preserve the security, confidentiality, and integrity of customer information in the event of a breach. If a breach occurs:

1. Take immediate action to secure any information that has or may have been compromised. For example, if a computer connected to the Internet is compromised, disconnect the computer from the Internet;
2. Preserve and review files or programs that may reveal how the breach occurred; and
3. If feasible and appropriate, bring in security professionals to help assess the breach as soon as possible.

Considering notifying consumers, law enforcement, and/or businesses in the event of a security breach. For example:

1. Notify consumers if their personal information is subject to a breach that poses a significant risk of identity theft or related harm;
2. Notify law enforcement if the breach may involve criminal activity or there is evidence that the breach has resulted in identity theft or related harm;
3. Notify the credit bureaus and other businesses that may be affected by the breach. See Information Compromise and the Risk of Identity Theft: Guidance for Your Business at http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus59.htm; and
4. Check to see if breach notification is required under applicable state law.