CyrusOne : FTC Rolls Out More Data Security Rules

Over the past few years, the government regulations relating to how companies must protect their IT infrastructure have changed significantly. That trend recently continued thanks to a new rollout of rules for data breach responses from the Federal Trade Commission, and experts believe that won't change any time soon.

The FTC's latest guidelines highlight how companies should handle data breaches, and specifically deal with how businesses react when they suspect they've been affected, according to a report from the law firm Frankfurt Kurnit Klein and Selz. These requirements come in three stages: securing existing infrastructure, fixing the vulnerabilities that may have led to the breach, and notifying everyone affected by the incident. Security experts already say these are basic best practices for any organization that suffers a breach, but without the FTC suggestions, some may go without implementing them.

Another aspect of the rules
What's interesting, though, is that the FTC's new guidelines also recommend that companies actually go above and beyond state requirements in data breach notifications in particular, the report said. While most states will require that notification letters describe the breach, the data exposed, and potentially how that data was used, the FTC also recommended organizations spell out how future notifications related to the incident will be conducted, information about any law enforcement agencies involved in the investigation of the breach, and advice on where to go for more information about how victims can protect themselves from identity theft.

These new guidelines might also be useful for organizations insofar as it gives them the opportunity to review their own internal procedures for how they handle data breaches. It might also lead them to consider the benefits of options like colocation to ensure business continuity in the event of a breach, or working with a data center provider to provide a more secure physical space for their IT equipment. The more that can be done to boost both physical and virtual security, the better off companies of all sizes will be.

Issues on the rise
This kind of consideration may be increasingly important as time goes on, simply because about 4 in 5 experts based at large global businesses now believe the number of disputes related to data protection and privacy will rise at least somewhat over the next several years, according to a report from Infosecurity Magazine. Roughly the same number felt similarly about disputes stemming from breaches specifically.

'The reputational and financial effects of such issues can have hugely detrimental consequences for an organization,' said David McIlwaine, a partner at the law firm that helped conduct the survey, according to the site. 'Clearly, the twin issues are concerning in-house lawyers. This would suggest that in order to predict and mitigate real business risk, organizations should now be setting and testing their approach to data protection or data security compromise, including, potentially, the creation of a crisis protocol.'

Nearly 1 in 4 businesses surveyed said they had been hit with at least 20 disputes regarding technology, multimedia, and telecommunications over the previous five years, the report said. More than 1 in 3 said their biggest incident cost them more than $100 million.