Part I of III | FTC Provides Guidance on Reasonable Data Security Practices

Oct 16, 2017

By Linda Henry


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

Over the past 15 years, the Federal Trade Commission (FTC) has brought more than 60 cases against companies for unfair or deceptive data security practices that put consumers’ personal data at unreasonable risk.  Although the FTC has stated that the touchstone of its approach to data security is reasonableness, the FTC has faced considerable criticism from the business community for lack of clarity as to as to what it considers reasonable data security.

Earlier this year, FTC Acting Chairman Maureen Ohlhausen pledged greater transparency concerning practices that contribute to reasonable data security.  As a follow-up to Ohlhausen’s pledge, the FTC published a weekly blog over the past few months, Stick with Security, that focuses on the ten principles outlined in its Start with Security Guide for Businesses. In the blog, the FTC uses examples taken from complaints and orders to offer additional clarity on each principle included in the Start with Security guidelines.

This is the first of three articles reviewing the security principles discussed by the FTC in its Stick with Security blog.

Start with Security 

Don’t collect personal information you don’t need.  After a security incident, many businesses realize that collecting sensitive information just because a company has the ability to do so is no longer a good business strategy.  In addition, it is easier for companies to protect a limited set of sensitive data than large amounts of personal information located on a company’s network.  Consequently, a company that limits the data it collects may be better positioned to demonstrate that its security practices are reasonable.  For example, following one security breach that resulted in the exposure of information of over 7,000 consumers, the FTC decided not to pursue a law enforcement action, in part, because the company had deliberately limited the sensitive information it collected.

Hold on to information only as long as you have a legitimate business need.  Companies should routinely review the data it has collected and dispose of data that is no longer needed.  As an example of inadequate data purging practices, the FTC cited the example of a large company that stored personal information collected at recruiting fairs on an unencrypted company laptop. The company used the same laptop at each recruiting event, never removing sensitive information from the laptop.  The company should have, as the FTC points out, removed candidates’ sensitive information that was no longer needed.

Don’t use personal information when it’s not necessary.  The FTC recognizes that companies have legitimate business reasons to use sensitive data, however, it stresses that companies should not use sensitive information in contexts that create unnecessary risks.

Train your staff on your standards – and make sure they’re following through.  Company staff are both the greatest security risk and also a company’s first line of defense against security breaches. Training is not a one-time endeavor – companies must continue to train staff on new security practices and provide refresher training on current company policies.  The FTC also stressed the importance of deputizing staff to provide suggestions and practical advice that C-suite executives may not have.

When feasible, offer consumers more secure choices.  Companies should make it easy for consumers to make choices that result in greater security of their data, and should consider setting default settings for their products at the most protective levels.  As an example of inadequate security practices, the FTC cited a manufacturer that configured the default settings on its routers so that anyone online could gain access to the files on the storage devices connected to the routers.  The manufacturer failed to adequately explain the default settings to consumers, and could have possibly avoided unauthorized access had it configured the default setting in a more secure manner.

Control access to data sensibly.

Restrict access to sensitive data.  Employers should limit the access employees and other individuals have to sensitive data, both through physical access (e.g., locking a desk drawer) or by restricting sensitive network files to a limited number of employees with password protected access.

Limit administrative access.  The FTC compares a company’s need to safeguard and limit access to administrative rights to a bank’s need to safeguard the combination to the bank’s vault.  Limiting the number of employees who have administrative access can reduce a company’s security risk.

Require secure passwords and authentication

               Insist on long, complex and unique passwords and store passwords securely. Companies should require that employees create strong, unique passwords.  In addition, companies should configure consumer products so that consumers are required to change the default password upon first use. Of course, strong passwords are of little use if passwords are not stored properly and are compromised. In addition, Companies can guard against brute force attacks by configuring their network so that user credentials can be suspended or disabled after a specified number of unsuccessful login attempts.

Protect sensitive accounts with more than just a password. Because individuals often use the same passwords for various online accounts, such login credentials can leave companies and consumers vulnerable to credential stuffing attacks.  Companies should consider requiring multiple authentication methods for access to accounts or applications with sensitive data.

Protect against authentication bypass.  If hackers are not able to access their targeted application through the front door, they will look for other available access points.  One way to reduce the risk of authentication bypass is to limit entry to an authentication point that can be monitored by the Company.

Part II will discuss the storage and protection of sensitive information, segmenting your network and securing remote access. Click here for Part II.

OTHER THOUGHT LEADERSHIP POSTS:

Apple’s X-Cellent Response to Sen. Franken’s Queries Regarding Facial Recognition Technologies

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, I wrote an article outlining the growing body of state legislation designed to address and mitigate emerging privacy concerns over facial recognition technologies.  It now appears that...

Pros and Cons of Hiring a Security Rating Agency

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below One can hardly check out any news outlet today without reading or hearing about a security breach.  Experts frequently advocate performing internal assessments to identify security...

Part II of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the second in a series of three articles on the FTC’s Stick with Security blog. Part I of this series can be found here. Over the past 15 years, the Federal Trade Commission (FTC) has...

Part I of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Over the past 15 years, the Federal Trade Commission (FTC) has brought more than 60 cases against companies for unfair or deceptive data security practices that put consumers’ personal data at...

Data Scraping, Bots and First Amendment Rights

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below A recent case involving a small workforce analytics startup fighting for its right to extract data from the largest professional networking site on the Internet may set a precedent for applying...

When 2017 Becomes 1984: Facial Recognition Technologies – Face a Growing Legal Landscape

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, Stanford University professor and researcher Michal Kosinski caused a stir of epic proportions and conjured up visions of George Orwell’s 1984 in the artificial intelligence (AI)...

PMI – An Insider’s Guide – Part 3: What to do When You’re Asked to Assist in a Potential Acquisition – Post-Integration Run Phase and the Wheels Have Come Off

By Peggy Abood See all of Our JDSupra Posts by Clicking the Badge Below See PMI – An Insider’s Guide - Part 1 here. See PMI – An Insider’s Guide - Part 2 here. See PMI – An Insider’s Guide - Part 3 here. This is the third in a series of three articles on post-merger...

PMI – An Insider’s Guide – Part 2: What to do When You’re Asked to Assist in a Potential Acquisition – Between Signed and Closed Phase

By Peggy Abood See all of Our JDSupra Posts by Clicking the Badge Below See PMI – An Insider’s Guide - Part 1 here. See PMI – An Insider’s Guide - Part 2 here. See PMI – An Insider’s Guide - Part 3 here. Your day starts with headlines screaming across the Internet –...

PMI – An Insider’s Guide – Part 1: What to do When You’re Asked to Assist with a Potential Acquisition – Due Diligence Phase

By Peggy Abood See all of Our JDSupra Posts by Clicking the Badge Below See PMI – An Insider’s Guide - Part 1 here. See PMI – An Insider’s Guide - Part 2 here. See PMI – An Insider’s Guide - Part 3 here. The Internet is jammed with articles reporting that most merger...

Just Push the Button! Instagram’s Response to Influencers, Hashtags and Disclosures

By Farah Cook See all of Our JDSupra Posts by Clicking the Badge Below In April, the Federal Trade Commission (“FTC”), after reviewing Instagram posts by celebrities, athletes, and social media influencers, issued 90 letters reminding influencers and marketers about...