ARTICLE
8 February 2017

Privacy: 2016 privacy security practice in review, lessons from the United States

HR
Holding Redlich

Contributor

Holding Redlich logo
Holding Redlich, a national commercial law firm with offices in Melbourne, Canberra, Sydney, Brisbane, and Cairns, delivers tailored solutions with expert legal thinking and industry knowledge, prioritizing client partnerships.
Explore Firm Details
At the start of a new year, it is timely to consider these 10 key steps, as summarised, to secure personal information.
Australia Privacy
Photo of Lyn Nicholson
Authors

At the start of a new year it is timely to consider the privacy and security risks you face in the coming year.

In early 2016, the U.S. Federal Trade Commission (FTC) gathered information from around 50 enforcement actions it had commenced, in relation to failure of U.S. entities keeping personal information secure, all of which resulted in settlement.

FTC action was generally provoked by basic security missteps. The publication Start with Security, provides 10 key steps, summarised below, to secure personal information.

Read the full publication here.

  1. Start with security: Factor security concerns into decision making across all business areas. Do not collect information that is not needed, particularly if it is personal in nature, and do not keep information for longer than is necessary.
  2. Control access to data sensibly: Ensure employees only have access to sensitive data on a 'need to know basis'. Ensure administrative access is limited to IT staff.
  3. Require secure passwords and authentication: Insist on complex/unique passwords for employees (i.e. not abcde12345, etc), store both staff and user passwords securely (e.g. not in plain text files), protect against brute force attacks by suspending user credentials after a number of failed login attempts, and consider two factor authentication and backdoors.
  4. Store sensitive personal information securely and protect it during transmission: Use strong industry standard and properly configured encryption when storing/transmitting personal information (i.e. throughout the entire lifecycle of the data).
  5. Segment your network and monitor who's trying to get in and out: Use firewalls and physical breaks in networks to prevent access to locations storing sensitive, personal data by those computers that do not have a need to do so. Monitor network traffic for nefarious activity.
  6. Secure remote access to your network: If using remote login systems, consider the security of the remote devices. For instance, ensure that at-home users or clients have reasonable security measures in place and put limits on what information remote devices can access.
  7. Apply sound security practices when developing new products: Consider how securely new apps will store information; ensure coding staff follow best practice when creating new apps, follow platform (i.e. iOS, Android, MacOS, etc) security guidelines, and verify that security features function and protect against common vulnerabilities.
  8. Make sure your service providers implement reasonable security measures: If employing external service providers to process personal information or develop apps that will process such information, include security standards as contractual terms. Verify compliance with these agreements by monitoring the providers' efforts.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise: Security is an ongoing process, requiring that systems be regularly updated/patched and critical vulnerabilities addressed in a timely manner. Have a process for the reporting of security flaws and pay attention to information received there through.
  10. Secure paper, physical media, and devices: The same lessons that apply to network security apply in kind to these mediums. Keep sensitive paper based information physically secure (e.g. in locked cabinets); take steps to prevent tampering with physical devices (like credit card readers and PCs); consider whether devices containing sensitive information should leave the office, and if so ensure they are carefully looked after and properly secured. Ultimately, sensitive data and devices should be properly disposed of at end of life (e.g. by crosscut shredding and hard drive destruction).

Local experience, as evidenced by the Office of the Australian Information Commissioner publications and enforceable undertakings indicates that it is similarly often failure to have regard to these basic hygiene measures that causes major security breaches.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.

Authors
Photo of Lyn Nicholson
Lyn Nicholson
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More