At the start of a new year it is timely to consider the privacy
and security risks you face in the coming year.
In early 2016, the U.S. Federal Trade Commission
(FTC) gathered information from around 50
enforcement actions it had commenced, in relation to failure of
U.S. entities keeping personal information secure, all of which
resulted in settlement.
FTC action was generally provoked by basic security missteps.
The publication Start with Security, provides 10 key steps,
summarised below, to secure personal information.
Start with security: Factor security concerns
into decision making across all business areas. Do not collect
information that is not needed, particularly if it is personal in
nature, and do not keep information for longer than is
Control access to data sensibly: Ensure
employees only have access to sensitive data on a 'need to know
basis'. Ensure administrative access is limited to IT
Require secure passwords and authentication:
Insist on complex/unique passwords for employees (i.e. not
abcde12345, etc), store both staff and user passwords securely
(e.g. not in plain text files), protect against brute force attacks
by suspending user credentials after a number of failed login
attempts, and consider two factor authentication and
Store sensitive personal information securely and
protect it during transmission: Use strong industry
standard and properly configured encryption when
storing/transmitting personal information (i.e. throughout the
entire lifecycle of the data).
Segment your network and monitor who's trying to
get in and out: Use firewalls and physical breaks in
networks to prevent access to locations storing sensitive, personal
data by those computers that do not have a need to do so. Monitor
network traffic for nefarious activity.
Secure remote access to your network: If using
remote login systems, consider the security of the remote devices.
For instance, ensure that at-home users or clients have reasonable
security measures in place and put limits on what information
remote devices can access.
Apply sound security practices when developing new
products: Consider how securely new apps will store
information; ensure coding staff follow best practice when creating
new apps, follow platform (i.e. iOS, Android, MacOS, etc) security
guidelines, and verify that security features function and protect
against common vulnerabilities.
Make sure your service providers implement reasonable
security measures: If employing external service providers
to process personal information or develop apps that will process
such information, include security standards as contractual terms.
Verify compliance with these agreements by monitoring the
Put procedures in place to keep your security current
and address vulnerabilities that may arise: Security is an
ongoing process, requiring that systems be regularly
updated/patched and critical vulnerabilities addressed in a timely
manner. Have a process for the reporting of security flaws and pay
attention to information received there through.
Secure paper, physical media, and devices: The
same lessons that apply to network security apply in kind to these
mediums. Keep sensitive paper based information physically secure
(e.g. in locked cabinets); take steps to prevent tampering with
physical devices (like credit card readers and PCs); consider
whether devices containing sensitive information should leave the
office, and if so ensure they are carefully looked after and
properly secured. Ultimately, sensitive data and devices should be
properly disposed of at end of life (e.g. by crosscut shredding and
hard drive destruction).
Local experience, as evidenced by the Office of the Australian
Information Commissioner publications and enforceable undertakings
indicates that it is similarly often failure to have regard to
these basic hygiene measures that causes major security
This publication does not deal with every important topic or
change in law and is not intended to be relied upon as a substitute
for legal or other advice that may be relevant to the reader's
specific circumstances. If you have found this publication of
interest and would like to know more or wish to obtain legal advice
relevant to your circumstances please contact one of the named
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
For the many medium and large sized businesses that the mandatory notification affects, advance preparation will be key.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).