A 4-Step Program from Department of Justice for eCommerce
Posted June 4, 2015
The Cybersecurity Unit of DOJ Released a “Best Practices” Guide for eCommerce Companies, the First Step in Creating a National Policy
The U.S. Department of Justice’s “Best Practices for Victim Response and Reporting of Cyber Incidents” is intended as a practical guide to help companies prevent cyberattacks and know what steps to take after an attack occurs.
In an article on internetretailer.com, Todd Ruback, chief privacy officer of Ghostery, a privacy-related browser extension that enables users to detect and control web bugs, summarizes what the report means for online merchants. The following has been excerpted from the internetretailer.com piece and edited to fit our format and editorial style. You may find the complete article by clicking on this link.
Getting the internal conversation going
These best practices should be considered a starting point for every Internet retailer, large and small, to get a conversation going internally. Not every potential security breach is preventable, but this four-step plan can help retailers take practical steps to reduce their risks with a logical response plan in place when security breaches do occur.
Step 1: Identify what information must be protected
- Inventory data
- Categorize data (personal data comprised of both customer and employee data; confidential information that you hold under contracts with business clients; trade secrets and other types of intellectual property)
- Map the flow of data to determine how it’s collected and used
- Review the security protections in place for each data category and identify areas of vulnerability and controls that can be put in place to mitigate the risk of that data being compromised
Step 2: Create a plan
Have an actionable written plan in place that is tested on a regular basis. No plan is perfect, but when something happens it is comforting to have pre-assigned roles and responsibilities. Do customers need to be contacted and if so, by whom? What should the notice contain? Is there a timeline?
Step 3: Institute safeguards
Be sure there are reasonable safeguards in place to protect those crown jewels. Safeguards should be commensurate with the size and complexity of an organization. Joe’s corner hardware store will have very different cybersecurity needs and capabilities than a publicly-traded, multinational brand. Employee privacy awareness training should be a part of those safeguards.
Step 4: Legal strategy
Ensure there is competent, experienced outside counsel familiar with cyberincident management at the ready. Calling an insurance agent at 3:00 a.m. for legal advice is never a good idea.
When a breach occurs
When an incident happens — notice I didn’t say ‘if’ — you need to mobilize and turn to your tested incident response plan. The DOJ’s guidance signals the need to make an initial assessment of the event, determining the nature and scope of the incident.
This critical point is important. There are many cases where companies panic, reacting without first knowing the facts, often making disastrous decisions that cause consumer panic and regulatory frustration. Having a sound procedure for cyberincidents prevents this from happening. Once an assessment is done, take measures to minimize the breach and shut down the bad guys. It’s also a good idea to make sure to keep written records and logs of an investigation, in case there are statutory data breach notification obligations under different state laws.