Understanding “Reasonable Cybersecurity Measures” to Safeguard Data
Reasonable Cybersecurity Measures for Protection
After collecting personal information, businesses must take “reasonable measures” to safeguard it. Some states, such as Florida and Alabama, have this standard (or a similar one) in their cybersecurity statutes. On the federal level, the Federal Trade Commission has brought numerous enforcement actions against companies for engaging in “unfair” cybersecurity practices. This legal authority provides some guidance on what “reasonable” cybersecurity measures look like.
Reasonable cybersecurity measures include numerous safeguards. The good news is, many effective safeguards are easy to implement. These include:
- Requiring all employees with access to personal information to use strong passwords
- Restricting employees’ access to personal information to a “need-to-know” basis
- Training employees on basic cybersecurity measures and taking precautions, such as learning how to identify scams and not falling for phishing emails
- Using multi-factor authentication for remote access to personal information
- Updating software and operating systems with the latest security patches
Although this is not a complete list of possible cybersecurity precautions, taking these measures can prevent many data breaches and help create a “culture of cybersecurity” within the organization.
[Editor’s note: for more information on cybersecurity, read the first installment of this series, “The Legal Implications of Cyber Security When Collecting Personal Information”]
Another aspect of “reasonable” cybersecurity pertains to vendors. Any outside company with access to your business’s records, including personal information, should commit to reasonable cybersecurity practices as well. Contracts with such vendors should require the vendors to safeguard data, notify you of a breach, and indemnify you for breach costs. These contracts should be reviewed and renegotiated as necessary to comply with the law.
The bad news about “reasonable cybersecurity” is that, despite your best efforts at prevention, a data breach is virtually inevitable. “It’s not a matter of if, but when” is the common refrain. This makes preparation and response all the more important.
To view the complete article originally published by Financial Poise on September 14, 2018, click here.