Corporate Cybersecurity: What Are Your Legal and Ethical Obligations?

While personal cybersecurity is important, corporate cybersecurity, as we’ve seen over the last two years, is doubly so. With breaches occurring too often, and personal information leaked, it’s now more vital than ever that a company secure its clients’ information and uphold ethical and legal standards of information security. Here’s a look at what your company can do to keep your clients’ data safe:

Legal Concerns

Before we even touch on ethics, we have to know the law concerning customer data. In most cases, this means credit card information. This is governed by the Payment Card Industry Data Security Standard, or PCI DSS, a standard put in place by major credit card companies including Visa and MasterCard.

For physical stores, it’s suggested to only keep data as long as necessary for the transaction. If it is stored, however, it needs to be encrypted, with limited access. Online retailers must also encrypt customer data, and it’s recommended that a third-party vendor be used for storage and tokenization.

Retailers cannot save security codes or PIN numbers, but can keep the cardholder’s name, account number, expiration date, and service code. The primary account number, or PAN, must be obscured if shown with only the last few numbers available and must be destroyed when no longer needed.

The Ethics of Cybersecurity

Your IT professionals are part of the “limited access” to client information listed above. They have to be, in order to protect all of the company’s data. This means that they must be ethically sound, lest they leak swaths of personal information. This, in part, comes down to trusting your IT department.

On the other side of the coin, if a leak or breach does occur, it’s better to let customers know immediately rather than let the information proliferate in secret. Target, for example, failed to tell 70 million affected customers after a 2013 breach, despite immediately informing the U.S. Justice Department. Any goodwill the company had with customers was thus squandered, resulting in net earnings falling 46 percent over the previous year in the fourth quarter.

Cybersecurity Tips

Finally, here are some tips for you and your employees to keep information safe.

Combining both ethics and cybersecurity, training your employees is the first step, Panda Security notes. They need to have knowledge of how the security works and how to interact with it; otherwise, all of your security measures could be for naught.

For example, they should know how to handle security if they bring their own devices to work. While connecting their phone or personal laptop to the network seems like a good idea for mobility and could save the company costs, it opens the network up to new devices that have not been checked by IT. They could have hidden viruses, or sensitive information could be downloaded. It’s best to not allow BYOD if possible, or at the very least get each device checked by IT. If they need a USB drive to easily carry information, provide them with one.

Keeping weak passwords can also be the death knell for a network’s security. Go over proper password procedure, and how to come up with a strong password that’s still easy to remember.

Speaking of passwords, using an unsecured Wi-Fi network could result in intercepted information, including logins. If possible, set up a VPN for them to use.

Though it might not sound like it’s entirely related to cybersecurity, make regular updates to your software. In the past, programs like Java could be used to gain full access to a computer. Even the operating system can be compromised if a hacker finds a backdoor into a system.

Enforcing these procedures can help ensure your company’s important information, including critical customer data, is stored safely and securely.