Data security should be high on the list of priorities for software companies – because most, if not all, are handling some sort of sensitive data.
Data security incidents happen, and they will keep happening. It’s in your best interest to mitigate data security incidents as much as possible. This post will give you a high level overview of what you should do to mitigate data security incidents, and be prepared if/when it happens to you.
1. Handle your Data Responsibly
- Identify and classify your data – know what you are collecting, where it is coming from, where and how it is being stored, and what type of data it is.
- Keep your data clean – If you don’t need to collect someones phone number and social security number to run your business – don’t.
- Protect your data – encrypt your data at rest, in transit, and in database backups. Delete data from your resources when it is no longer needed.
- Map your data – where is your data coming from, and where is it going? Ensure you have an idea of how to get to the data if and when you need it.
2. Have (and Enforce!) a Comprehensive Risk Assessment and Policies & Procedures
Your company Risk Assessment and Policies & Procedures are key. Every software company should have a comprehensive set including, but not limited to:
- Risk Assessment – what are the potential physical, technical, and administrative security risks unique to your company.
- HR and Employment Policies – for handling not only benefits, but onboarding and off-boarding of employees and contractors with access to sensitive data.
- Information Security Policy – how is your company handling access control, authentication, encryption, logging, passwords, identity access management (using something like Okta or Beyond Identity) and more.
- IT Policies – including policies around documents, IT, devices, server. configuration, email, firewalls, internal software, logs.
- Security Incident Response Policy – what happens if something happens? Make sure you have a written policy, and practice the policy regularly.
- Disaster Recovery and Business Continuity Plan – what happens if things go wrong, and how does your business recover data, and continue operating.
This is not a comprehensive list. It’s important that you enforce your policies & procedures as well – as they are just words without action. Employing a Chief Information Security Officer or a consultant to stay on top of this is key.
3. Train your Team
Making sure your team understands what you are doing for data security, and how to keep it up is essential. Miseducation will lead to vulnerabilities and security breaches.
- Employ a consultant, attorney, or application to do comprehensive training on data security best practices for your team.
- Ensure that your team is educated on your internal policies and procedures.
- Train every new employee, and make retraining mandatory on an annual basis outlining any changes.
4. Manage your Vendors
Data breaches can happen through your vendors as well. That is why it is important to manage and monitor the data security posture of your vendors.
- Put your vendors through comprehensive vendor security assessments (audits).
- Update those vendor security assessments on an annual basis, and make sure your vendors keep up.
- Review their privacy policies carefully.
- Build into your contracts with your vendors data security provisions – what you are expecting of them, and how quickly they should be letting you know if they have an incident.
- Consider holding your vendors to standards such as ISO 27001, SOC 2 Type II.
- If you’re in a regulated industry such as healthcare, ensure that your vendors are HIPAA compliant.
5. Stay on top of Regulations
Regions, Countries, States, and industries are coming out with data security regulations on a regular basis. Some of these regulations are:
- ECPA (Electronic Communications Privacy Act) – establishes criminal sanctions for interception of electronic communication.
- FISMA (Federal Information Security Modernization Act) – assigns responsibilities to various government agencies to ensure the security of data in the federal government.
- Gramm Leach Bliley Act – governs the protection of personal information in the hands of banks, insurance companies, and other companies in the financial service industries.
- FRCA and FACTA (Fair Credit Reporting Act, and Fair and Accurate Credit Transactions Act) – restricts use of information bearing on an individual’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living to determine eligibility for credit, employment, or insurance.
- TCPA (Telephone Consumer Protection Act) – regulates calls and text messages to mobile phones, and regulates calls to residential phones made for marketing purposes (telemarketers).
- FERPA (Family Educational Rights and Privacy Act) – gives students the right to inspect and revise their student records for accuracy, and prohibits disclosure of these records or other persona information on student without the student or parent’s consent.
- HIPAA (Health Insurance Portability and Accountability Act) for organizations in the healthcare space, specifically to protect what is considered protected health information.
- GDPR (European Union General Data Protection Regulation) for all organizations that handle data of European Union citizens.
- CCPA (Proposed California Consumer Privacy Act) for all organizations that handle data of California residents.
- Future State-Specific regulations currently being reviewed by state senate – from Nevada, New York, Washington, and Texas.
Stay on top of emerging regulations, and make sure you are prepared as they continue to evolve.
Let us Help
This is a very high level overview of data security incident mitigation for software companies, and there are many more caveats to making sure you are doing what you’re supposed to be doing.
Kader Law offers a Data Privacy Compliance package that can help you hit the ground running through our outside general counsel offering. Let’s connect.
This post is not legal advice, and does not establish any attorney client privilege between Law Office of K.S. Kader, PLLC and you, the reader.