More Tips on Good Data Protection

Another week, another enforcement action from the Federal Trade Commission giving us a glimpse into what modern data protection programs should look like. This time the company in question is a telecommunications company that flubbed basic data protection protocols and then suffered a breach; and as usual, the FTC gives compliance, privacy, and IT security teams plenty to think about.

Let’s start with the case itself, which the FTC announced last Friday. It involves a company called Global Tel*Link Corp., which we will shorten to “GTL” since including an asterisk in your company name is so cringe. GTL offers a range of telecom services to the prison industry, from phone lines for inmates to call loved ones to handheld tablets inmates can use to pass the time. As such, GTL maintains a complex IT infrastructure and collects a lot of personal data.

According to a complaint the FTC first filed against GTL last November, the trouble began in 2020. GTL was developing new software for its operations, and moved a large amount of data, including personal data of roughly 645,000 inmates, into a testing environment on Amazon Web Services. Except, GTL engineers didn’t implement basic protocols such as encrypting that personal data or using an intrusion protection system to intercept unwanted visitors. 

For at least two days in August 2020, all that personal data was left on AWS for anyone to find. That’s exactly what happened: numerous unknown parties accessed the data and copied it. By September 2020 GTL became aware of the breach, and by November consumers were complaining that they’d found their GTL-collected personal data available on the dark web. 

Next, the FTC said, GTL mishandled its disclosure of the breach to affected consumers. First the company said that no medical or financial data had leaked, when in fact it knew that such data had been swiped. Then GTL informed only 45,000 users about the breach rather than the full 645,000 whose records were exposed, and informed them only in May 2021 — nine months after the breach happened. 

Basics on Good Information Security

All that history brings us to the FTC settlement announced last week, and the raft of data security improvements that GTL must implement within the next 60 days. 

Written plan and direct oversight. First (and pretty much as always in these FTC cases), GTL must draft a written information security plan and designate a qualified person to implement and oversee that plan. Said person must then make annual presentations to the board about the overall status of the security plan. Those presentations should include discussion of material risks, the results of security plan testing, and any specific breaches or other incidents that have happened lately.

I like this part of the FTC settlement because it shows how IT security leadership and the board should be talking about security. You could take the specifics from this part of the FTC order and convert them into standing agenda items for the CISO’s annual report to the board — and if your CISO isn’t making annual reports to the board, you’re doing it wrong. 

Data security safeguards. The FTC order also includes a long list of safeguards GTL must implement to keep personal data secure. Some of them are more employee-centric in natue, such as annual security awareness training and hiring qualified IT security personnel. Others are process-centric, such as having an incident response plan. 

A fair number, however, are decidedly more technical in nature:

• Encrypting all personal data, when that data is both in transit or at rest;
• Using firewalls, intrusion detection systems, and file integrity monitoring tools;
• Maintaining complete access logs, so the company can audit unauthorized access of data more efficiently;
• Using multi-factor authentication to access personal data, unless a user has received written approval to use other reasonably similar controls.

And GTL needs to implement several IT general controls, including better change management controls, “secure development” practices for in-house software development, and more rigorous testing of externally developed software. 

I go into such detail about these data security safeguards because they are all measures that can be audited — and for large companies with a capable internal audit team, that’s something that will need to be done. Clearly as companies rely on data to an ever greater extent, their privacy and cybersecurity risks will go up. That means they’ll need more assurance that the security measures they have in place are effective and adequate. Internal audit teams will need to be able to handle that concern. 

Third-party risk management. GTL will need policies and procedures “to adequately vet and assess service providers’ data security practices prior to contracting with the service providers and periodically thereafter.” It will also need to require its technology providers to train their own employees on security and to implement their own safeguards for protecting personal data.

That’s not unreasonable in the abstract; but consider how your own enterprise would enforce such third-party risk management practices. For example, do you have centralized contract management for IT services, or can any employee with a company credit card and a dream bring new third-party risks to your business? 

Independent security assessment. The FTC also required GTL to undergo independent security assessments every other year for the next 20 years (a common period of time for FTC settlements). That arrangement will work essentially as an independent audit of GTL’s privacy and information security programs, making sure that the company meets all the obligations listed above. 

Emerging Standard of Data Protection

I always recommend reading FTC settlements over poor data security because these agreements clearly point toward the best practices that every company should be adopting for privacy and cybersecurity. Unless you happen to be in highly regulated fields such as healthcare or financial services, right now FTC settlements are the best examples of security governance that the rest of us can use. 

And really, the contours of those best practices aren’t that hard to see:

• Put your information security plan in writing. Designate someone to be responsible for implementing that plan.
• Have that person talk with the board about cybersecurity on a regular basis. 
• Implement strong processes, training, and technical controls to keep confidential data secure.
• Test that program yourself, and undergo independent audits on a regular basis. 

That is what every company must do. Large companies already do all this, of course; the challenge for them is to do it well and efficiently, and for smaller companies to do it at all. 

Then again, if you don’t implement these practices yourself on a voluntary basis, the FTC (and eventually other regulators) will be more than ready to make you implement them by force.