The FTC Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operation, including three critical areas of information security: Information Systems, Employee Management & Training, and Detecting and Managing System Failures.

This blog post covers Detecting and Managing System Failures. For other areas, please see our Information Systems and Employee Management & Training blog posts.

Detecting & Managing System Failures

• Monitor the websites of your software vendors and read relevant industry publications for news about emerging threats and available defenses
  • 💁‍♂️ Use CISA alerts and subscribe to OpenCVE
• Maintain up-to-date and appropriate programs and controls to prevent unauthorized access to customer information. For example:
  • Check with software vendors regularly to get and install patches that resolve software vulnerabilities
  • Use anti-virus and anti-spyware software that updates automatically
    • 💁‍♂️ Use anti-virus software like Microsoft Defender
  • Maintain up-to-date firewalls, particularly if you use a broadband Internet connection or allow employees to connect to your network from home or other off-site locations
    • 💁‍♂️ Consumer grade firewalls like Linksys are easy to set up and can work for small businesses (<10 employees). Enterprise grade firewalls require professionals to set up but offer higher performance and capabilities. Use Palo Alto Networks if budget is not a concern, otherwise use Fortinet.
  • Regularly ensure that ports not used for your business are closed
    • 💁‍♂️ To get started, consider only allowing inbound ports for VPN and specific servers (e.g., DNS, web server, mail server) and outbound ports on a need-by basis.
  • Promptly pass along information and instructions to employees regarding any new security risks or possible breaches
• Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information. For example:
  • Keep logs of activity on your network and monitor them for signs of unauthorized access to customer information
  • Use an up-to-date intrusion detection system to alert you of attacks
    • 💁‍♂️ Use Next Generation Firewalls like Palo Alto Networks (higher budget) or Fortinet (cheaper alternative) doubles up as both a firewall and intrusion detection system.
  • Monitor both in- and out-bound transfers of information for indications of a compromise, such as unexpectedly large amounts of data being transmitted from your system to an unknown user
  • Insert a dummy account into each of your customer lists and monitor the account to detect any unauthorized contacts or charges
• Take steps to preserve the security, confidentiality, and integrity of customer information in the event of a breach. If a breach occurs:
  • Take immediate action to secure any information that has or may have been compromised. For example, if a computer connected to the Internet is compromised, disconnect the computer from the Internet
  • Preserve and review files or programs that may reveal how the breach occurred
    • 💁‍♂️ Before letting service providers manage sensitive data on your behalf, be sure to ask how audit logs works and show proof of compliance certifications. For example, Strac maintains audit logs for all data access and has been certified for handling financial and health care data by SOC2, HIPAA and other governing entities.
  • If feasible and appropriate, bring in security professionals to help assess the breach as soon as possible
• Consider notifying consumers, law enforcement, and/or businesses in the event of a security breach. For example:
  • Notify consumers if their personal information is subject to a breach that poses a significant risk of identity theft or related harm
  • Notify law enforcement if the breach may involve criminal activity or there is evidence that the breach has resulted in identity theft or related harm
    • 💁‍♂️ File a complaint with Internet Crime Complaint Center to notify the FBI of an Internet cyber crime
  • Notify the credit bureaus and other businesses that may be affected by the breach
  • Check to see if breach notification is required under applicable state laws