Information Security … A Guide For Business #4 How Secure Is Your Data?
Ten practical lessons businesses can learn from the FTC’s (business.ftc.gov) 50+ data security settlements. Storing Sensitive Personal Information Securely and Protect It During Transmission. This is part #4 in our series of Information Security: A Guide For Business.
#4 Store Sensitive Personal Information Securely and Protect It During Transmission!
For many companies, storing sensitive data is a business necessity. And even if you take appropriate steps to secure your network, sometimes you have to send that data elsewhere. Use strong cryptography to secure confidential material during storage and transmission. The method will depend on the types of information your business collects, how you collect it, and how you process it. Given the nature of your business, some possibilities may include Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption, data-at-rest encryption, or an iterative cryptographic hash. But regardless of the method, it’s only as good as the personnel who implement it. Make sure the people you designate to do that job understand how your company uses sensitive data and have the know-how to determine what’s appropriate for each situation. With that in mind, here are a few lessons from FTC cases to consider when securing sensitive information during storage and transmission.
Keep sensitive information secure throughout its lifecycle.
Data doesn’t stay in one place. That’s why it’s important to consider security at all stages, if transmitting information is a necessity for your business. In Superior Mortgage Corporation, for example, the FTC alleged that the company used SSL encryption to secure the transmission of sensitive personal information between the customer’s web browser and the business’s website server. But once the information reached the server, the company’s service provider decrypted it and emailed it in clear, readable text to the company’s headquarters and branch offices. That risk could have been prevented by ensuring the data was secure throughout its lifecycle, and not just during the initial transmission.
Use industry-tested and accepted methods.
When considering what technical standards to follow, keep in mind that experts already may have developed effective standards that can apply to your business. Savvy companies don’t start from scratch when it isn’t necessary. Instead, they take advantage of that collected wisdom. The ValueClick case illustrates that principle. According to the FTC, the company stored sensitive customer information collected through its e-commerce sites in a database that used a non-standard, proprietary form of encryption. Unlike widely-accepted encryption algorithms that are extensively tested, the complaint charged that ValueClick’s method used a simple alphabetic substitution system subject to significant vulnerabilities. The company could have avoided those weaknesses by using tried-and-true industry-tested and accepted methods for securing data.
Ensure proper configuration.
Encryption – even strong methods – won’t protect your users if you don’t configure it properly. That’s one message businesses can take from the FTC’s actions against Fandango and Credit Karma. In those cases, the FTC alleged that the companies used SSL encryption in their mobile apps, but turned off a critical process known as SSL certificate validation without implementing other compensating security measures. That made the apps vulnerable to man-in-the-middle attacks, which could allow hackers to decrypt sensitive information the apps transmitted. Those risks could have been prevented if the companies’ implementations of SSL had been properly configured.