FTC announces data security initiative with new guidance for businesses

On June 30, 2015, the Federal Trade Commission announced a new initiative called “Start with Security,” which includes new guidance for businesses that draws on the lessons learned in the more than 50 data security cases brought by the FTC over the years.

The new guidance, available here, focuses on ten lessons that touch on vulnerabilities that could affect companies, and it also provides some practical guidance on how to reduce the risks they pose. The guidance can be summarized as follows:

(1) Understand you data collection, retention, and use policies, and implement smart data security policies. For example, the FTC notes that companies can avoid risk by not collecting sensitive information that the company doesn’t need or use. Furthermore, when it is necessary to collect personal data, review your policies to determine when your business no longer has a legitimate need to continue storing the sensitive information (and then securely dispose of the information).

(2) Control employees’ or third parties’ access to sensitive data. Implementing proper controls ensures that only authorized employees with a business need have access to sensitive information.

(3) Keep information secure by insisting on more secure password systems and comprehensive authentication mechanisms. For example, the FTC charged a company for failing to test its web application for widely-known security flaws, including one where a hacker could easily predict patterns and manipulate URLs to bypass the web app’s authentication screen and gain unauthorized access to the company’s databases. The FTC also reminds businesses to guard against “brute force” attacks to authentication programs. For example, the FTC has gone after companies that didn’t suspend or disable user credentials after a certain number of unsuccessful login attempts.

(4) Store sensitive information securely and protect it during transmission. The FTC provided a few examples of encryption methods, including Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption, data-at-rest encryption, or an iterative cryptographic hash. But the FTC also cautioned that data should be secure throughout its lifecycle and not just during an initial transmission.

(5) Segment your network and understand “Who is knocking at my door?” The FTC notes: when designing your network, consider using tools like firewalls to segment your network, thereby limiting access between computers on your network and between your computers and the Internet.

(6) Secure remote access to you company’s network. Citing a few examples from the FTC’s past enforcement actions, the FTC remind businesses that your network security is only as strong as the weakest security on a computer with remote access to it.

(7) Acknowledging the speed at which businesses innovate, the FTC reiterates the need to apply sound security practices when developing, designing, testing, and rolling-out new products. The FTC recommends (a) training your engineers in secure coding; (b) follow platform guidelines for security (e.g., iOS’s and Android’s guidelines for developers); (c) verify that privacy and security features work (e.g., Snapchat’s claim that its messages would “disappear forever,” which turned out to be inaccurate); and (d) test for common vulnerabilities, like those identified by the Open Wed Application Security Project.

(8) Keep an eye on your service providers. The FTC wants businesses to take reasonable steps to select providers that are able to implement appropriate security measures and then monitor that the providers are meeting your requirements. The FTC suggests that businesses include contract provisions requiring security precautions.

(9) Have procedures in place to keep your security current. The FTC charged one company that didn’t have a process for receiving and addressing reports about security vulnerabilities. This delay in responding to warnings meant that the vulnerabilities found their way onto even more devices across multiple operating system versions. The FTC suggests businesses consider a clearly publicized and effective channel (e.g., a dedicated email address like security[@]yourcompany.com) for receiving reports and flagging them for your security staff.

(10) Don’t forget to secure paper, physical media, and devices too. We are often focused on protecting our digital information, but physical information and devices need to be secured too. The FTC reminds businesses to securely store sensitive information, protect devices that process personal information, e.g., point-of-sale devices, keep files encrypted when sensitive data leaves the office, and dispose of data securely, e.g., wiping devices after use or shedding documents to make them unreadable.

A mix of common sense, friendly reminders, and helpful hints, the FTC’s new “Start with Security” guidance is really an enforcement roadmap against which the FTC will evaluate companies in the event of a data security incident. The ten lessons from the FTC are nonetheless useful for companies to consider in evaluating their own data security systems and response mechanisms.