CNET may have summed up 2014 as the "Year of the Hack," but 2015 already looks to be more of the same. Only a few weeks into the new year, TurboTax and Anthem have reported data breaches. It is no surprise then to see federal agencies and self-regulatory organizations rallying to address consumer security and privacy concerns.

On January 27, 2015, the Federal Trade Commission (FTC) issued an FTC Staff Report recommending best practices for Internet-connected devices. See Strasburger's Intellectual Property Blog article on the FTC report here. A week later, both the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) followed suit. The SEC's Risk Alert culled observations from the Cybersecurity Initiative the SEC began in April 2014. The Initiative examined the cybersecurity policies and practices of 57 registered broker-dealers and 49 investment advisors. The Risk Alert carefully avoids creating recommendations or safe harbors but rather provides "summary observations" that firms may consider in assessing their cybersecurity compliance. The FINRA Report on Cybersecurity Practices is also the result of an industry-wide examination of a cross-section of firms but goes farther than the SEC Risk Alert to provide a summary of "principles and effective practices."

Whether called best practices, observations, or principles, three practices that will assist businesses in avoiding cybersecurity risks emerge from these reports.

Involve senior level management

The FTC, SEC, and FINRA all focus on who in a business is responsible to identify and manage cybersecurity risks. FINRA declares that "[a]ctive executive management—and as appropriate to the firm, board-level involvement—is an essential effective practice to address cybersecurity threats." See FINRA Report on Cybersecurity Practices (February 3, 2015) at p. 7. Thus, directors and officers of a corporation may face liability for lack of oversight. Businesses should evaluate, based on the size and complexity of their organizations, whether to hire a separate Chief Information Security Officer (CISO), or whether to assign cybersecurity to their Chief Technology Officer.

Exercise vendor oversight

A chain is only as strong as its weakest link. Any vendor that collects, processes, or stores private information exposes a company to cybersecurity risks. Businesses should perform pre-contract due diligence on the security of any prospective service provider, and the service agreement itself should address the sensitivity of data and how the service provider will ensure the data's integrity. Companies should include vendors in ongoing risk-assessment. Clear service agreement provisions should allocate responsibility for data breaches. Earlier this year, Travelers Casualty and Surety Company of America sued its insured's web designer, claiming the designer's negligent maintenance of a website allowed a data breach.

Incorporate cybersecurity in personnel practices

Employees are one of the main sources of cybersecurity risks for businesses. In its Initiative, the SEC found that the majority of breaches experienced by broker-dealers and investment advisors were due to failure to follow identity authentication procedures related to malware and fraudulent emails. See SEC National Exam Program Risk Alert, Vol. IV, Issue 4 (February 3, 2015) at 3. To effectively manage cybersecurity risks, businesses must incorporate data security in their personnel practices, including the hiring, training, and firing of employees.

By issuing these publications, federal agencies and self-regulatory organizations are putting the businesses under their purview on notice that in today's digital world no business can escape the task of addressing cybersecurity and data privacy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.