September 22, 2017
September 19, 2017
September 18, 2017
Posted June 4, 2015
The Cybersecurity Unit of DOJ Released a “Best Practices” Guide for eCommerce Companies, the First Step in Creating a National Policy
The U.S. Department of Justice’s “Best Practices for Victim Response and Reporting of Cyber Incidents” is intended as a practical guide to help companies prevent cyberattacks and know what steps to take after an attack occurs.
In an article on internetretailer.com, Todd Ruback, chief privacy officer of Ghostery, a privacy-related browser extension that enables users to detect and control web bugs, summarizes what the report means for online merchants. The following has been excerpted from the internetretailer.com piece and edited to fit our format and editorial style. You may find the complete article by clicking on this link.
Getting the internal conversation going
These best practices should be considered a starting point for every Internet retailer, large and small, to get a conversation going internally. Not every potential security breach is preventable, but this four-step plan can help retailers take practical steps to reduce their risks with a logical response plan in place when security breaches do occur.
Step 1: Identify what information must be protected
Step 2: Create a plan
Have an actionable written plan in place that is tested on a regular basis. No plan is perfect, but when something happens it is comforting to have pre-assigned roles and responsibilities. Do customers need to be contacted and if so, by whom? What should the notice contain? Is there a timeline?
Step 3: Institute safeguards
Be sure there are reasonable safeguards in place to protect those crown jewels. Safeguards should be commensurate with the size and complexity of an organization. Joe’s corner hardware store will have very different cybersecurity needs and capabilities than a publicly-traded, multinational brand. Employee privacy awareness training should be a part of those safeguards.
Step 4: Legal strategy
Ensure there is competent, experienced outside counsel familiar with cyberincident management at the ready. Calling an insurance agent at 3:00 a.m. for legal advice is never a good idea.
When a breach occurs
When an incident happens — notice I didn’t say ‘if’ — you need to mobilize and turn to your tested incident response plan. The DOJ’s guidance signals the need to make an initial assessment of the event, determining the nature and scope of the incident.
This critical point is important. There are many cases where companies panic, reacting without first knowing the facts, often making disastrous decisions that cause consumer panic and regulatory frustration. Having a sound procedure for cyberincidents prevents this from happening. Once an assessment is done, take measures to minimize the breach and shut down the bad guys. It’s also a good idea to make sure to keep written records and logs of an investigation, in case there are statutory data breach notification obligations under different state laws.