1Prompt Notification: What Sony Didn’t Do
Companies should disclose the breach swiftly if names and identifying information such as Social Security numbers and passwords are exposed.
2Disclose What Exactly Was Stolen
Customers should be notified to what extent their personal and financial information has been compromised so that they can figure out their risk (phishing, identity theft, bank fraud) and the next steps to take.
3Free Credit Monitoring Services
Even though monitoring services arent foolproof, they are a good line of defense against identity theft and potential fraud. Companies should offer two years of monitoring services for free in the event of a data breach.
4Encrypt Sensitive Data
Not all data needs to be encrypted, but highly sensitive data should be, and encryption keys and applications using the data should be protected.
5Protect the Encryption Keys
Its not enough to hash or encrypt the data; make sure the algorithm being used is secure and not obsolete. Dont keep the keys on the server, or any intruder with access to the server will have the keys.
6Limit Data Collection
Companies should not collect more sensitive data than is needed to conduct a given transaction and should not retain it any longer than is absolutely necessary.
7Know the Risks and Protect
Organizations need to perform risk assessments so that they know exactly where sensitive data is stored and protect them from direct Internet traffic.
8Check the Applications
Many applications are still vulnerable to SQL injection and cross-site scripting attacks. Regularly test the application and audit changes to ensure there are no security holes exposing data.
9Patch, Update Software Regularly
Some of the recent data breaches happened because the administrators hadnt installed security patches or updated to the latest version of the software. Patches close vulnerabilities, so install them.
10Consumer Data is Valuable
Consumer data should be handled as if it was the most valuable resource in the company. Dont leave paper records in unlocked filing cabinets and dont make it easy for anyone to access data. Security should not be an afterthought.