The U.S. Federal Trade Commission (FTC) recently levied substantial sanctions against alcohol delivery platform Drizly and education services provider Chegg after what were alleged to be substantial failures in the companies’ data security and privacy efforts. According to the FTC, the failures led to security incidents adversely affecting millions of consumers.
The FTC complaints list numerous shortcomings in the companies’ information security and privacy efforts, lacking elements such as data minimization, appropriate data encryption, and failure to make use of multifactor authentication for user access.
In Europe, EU members state data protection agencies have issued numerous fines to organizations when a breach exposed personal data or for non-compliance, even when no incident had occurred. Organizations such as Amazon, Meta, and Google have been fined tens or hundreds of millions of Euros for General Data Protection Regulation (GDPR) non-compliance.
The risks to organizations that mishandle personal information, either in their normal course of operations or as a result of a security incident, are increasingly substantial. The FTC sanctions against Drizly also apply to its CEO, James Rellas, and the FTC’s sanctions on Rellas will follow him for 10 years, whether he remains at Drizly or moves to other organizations.
GDPR penalties, particularly for egregious violations, can cost an organization up to 4% of its global annual turnover. Further, several U.S. states, including Colorado and New Jersey, will see new privacy rules take effect in 2023.
What Organizations Can Do
Organizations looking to protect their customers and avoid potential penalties should implement a comprehensive information security and privacy program, with an eye towards how those elements integrate. Conventionally, security programs have a strong IT and technology element in their practice, and privacy programs originate with legal experts and derive primarily from policy documents.
But a successful program combines these elements effectively: 1) security and engineering teams that understand their privacy requirements and design and operate systems and processes accordingly, 2) privacy experts that understand how the organization handles data and device policies, and 3) privacy practices that comport with the organization’s uses and functions.
Consider the following key areas when designing your organization’s security and privacy programs:
Understanding Data Assets
Identify your data assets, determine their legitimate use, and aggressively minimize data retention, especially for personally identifying information (PII) to the least amount of data for the shortest time period. Doing so will help to meet specific business and regulatory requirements. Retaining PII indefinitely because the future might hold a use case is demonstrably poor practice and will run afoul of at least some privacy rules.
Further, carefully consider all the data processing and workflow activities pertinent to these data and determine who needs access to the systems and data involved in these processes. This will likely include your organization’s employees and third-party users, such as business partners, customers, or contractors.
Security Frameworks
Consider a security framework, such as NIST CSF, HITRUST, or PCI DSS, as a baseline for your organization’s information security requirements and commit to a process of continuous improvement for your security practices. Having a policy requiring a security practice, such as how users authenticate, but not having the means to enforce that policy is largely ineffective. Having some technical controls based on whatever systems you procure may be an improvement, but having your policies clearly define your requirements when you develop or procure new systems clearly demonstrates a measure of improvement.
Further, gather the relevant stakeholders, such as system owners, for a regular (at least annual) discussion to determine if your policies, controls, and practices continue to meet your organization’s security requirements in a way that aligns with your other business objectives.
Security Control Testing
Regularly test your security controls and your ability to respond to potential incidents. Part of the FTC’s complaints against Drizly and Chegg was that they both suffered security incidents (in Chegg’s case, four separate incidents between 2017 and 2022), did little in the way of response, and had their customers’ data sold on internet criminal forums.
The practice of regularly testing security controls, such as regular internal or external security audits, assessments or penetration testing, helps to uncover potential weaknesses and demonstrate how an attacker could make use of them to exploit systems, expose data, or harm the organization.
The Role of Leadership
Without clear leadership that prioritizes fixing those findings, however, these activities are just exercises, so company leaders should soberly consider the seriousness of those potential vulnerabilities and, with the prior principle of continuous improvement in mind, determine how best to correct the matter at hand to prevent similar issues from recurring. Often, these corrections require significant changes—sometimes as systems engineering projects, sometimes as changes to deep-seated company practices or culture.
Incident Response Plan
Further, the ability to identify security incidents and respond quickly in many cases can limit the damage the attacker can inflict on the organization, its customers, and its reputation. Incident response requires its own distinct set of policies and procedures including regular training for the staff involved and testing exercises to evaluate the effectiveness of the incident response plan itself. Planning should account for a broad array of threats, and companies should adapt to face modern threats, such as ransomware or disruptions from nation-state threat actors.
This kind of security practice may seem like a significant investment for many organizations, but it’s the price of doing business in a world beset by modern threats. The reality is that information security and data privacy are as essential to a business as operations, finance, or legal functions, and require equal representation at the table of company leadership.
Organizations that adjust to this reality and invest accordingly will likely have a much easier time addressing the almost inevitable security and privacy issues that arise than those that ignore these needs or hope to create a piecemeal solution with minimal investment in people, resources, and leadership involvement.
Jacob Ansari is the National PCI Practice Leader at Mazars in the U.S.