Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

This is the third in a series of three articles on the FTC’s Stick with Security blog. Part I and Part II of this series can be found here and here.

Over the past 15 years, the Federal Trade Commission (FTC) has brought more than 60 cases against companies for unfair or deceptive data security practices that put consumers’ personal data at unreasonable risk.  Although the FTC has stated that the touchstone of its approach to data security is reasonableness, the FTC has faced considerable criticism from the business community for lack of clarity as to as to what it considers reasonable data security.

Earlier this year, FTC Acting Chairman Maureen Ohlhausen pledged greater transparency concerning practices that contribute to reasonable data security.  As a follow-up to Ohlhausen’s pledge, the FTC published a weekly blog over the past few months, Stick with Security, that focuses on the ten principles outlined in its Start with Security Guide for Businesses. In the blog, the FTC uses examples taken from complaints and orders to offer additional clarity on each principle included in the Start with Security guidelines.

This is the third of three articles reviewing the security principles discussed by the FTC in its Stick with Security blog.

Apply sound security practices when developing new products

Train your engineers in secure coding.  Sound security practices should be part of the product development process, and security should be considered at every stage.  The FTC stresses that companies must create a work environment that encourages employees to consider potential security issues throughout development.  The push to launch a product should not come at the cost of data security.

Follow platform guidelines for security.   All major platforms provide security guidelines and best practices, and the FTC strongly urges companies to consider such recommendations during product development.  For example, if a platform makes an API available to mobile app developers that will provide industry-standard encryption, a company would be well advised to consider using the platform’s API to help protect sensitive data that will be collected by the mobile app.

Verify that security features work.  Products should be tested for security vulnerabilities prior to launch.  In addition, any representation made to consumers with respect to a product’s security must be supported by demonstrable evidence prior to making the product available to consumers.  Under the FTC Act, companies will be responsible for any express or implied representation made to consumers.  Consequently, companies should consider whether any statement or depiction included in any marketing materials, packaging, social media posts, privacy policies, or in any other company content would be understood by a consumer acting reasonably under the circumstance to constitute a promise or representation regarding the product’s security.  If so, such statements or depictions must meet truth-in-advertising standards.

Test for common vulnerabilities.  Although it may not be possible to remove the threat of all security vulnerabilities, companies should use the security tools that are available to reduce the risk of a data breach and protect against known risks.  In addition, companies must view security as a dynamic process, and take new threats and vulnerabilities into account when designing new or updated products.

Make sure your service providers implement reasonable security measures

Do your due diligence.  The FTC cautions companies to take a “trust, but verify” approach to their service providers.  Companies must undertake adequate due diligence to confirm that their service providers have sufficient security controls in place to maintain the security of sensitive data.

Put it in writing. In order to reduce the risk of a service provider failing to maintain adequate security practices, companies must include appropriate security requirements in their agreements with service providers.  Failure to hold service providers to specific security requirements as a contractual matter is a missed opportunity to take reasonable steps to safeguard customers’ data.

Verify Compliance.  Although due diligence and contractual requirements with service providers are important components of a company’s data security policy, a company should also verify that its service providers are complying with contractual requirements.  For example, if a retailer engages a third party to develop and launch a mobile app but wants to ensure that geolocation data is not collected, the retailer’s agreement with the mobile app developer should include a prohibition on the mobile app being enabled to collect geolocation data from end users unless an individual affirmatively opts in.  Prior to launching the app, the retailer should conduct a test of the app to ensure that any compliance issues are corrected prior to launch.

Put procedures in place to keep your security current and address vulnerabilities that may arise.

Update and patch software.  Security is an ever-evolving process, thus companies need to ensure that third-party software is kept up-to date by promptly applying security patches and updates. In addition, if a company has made its own proprietary software available to customers, the company must ensure that it has a way to alert customers to known vulnerabilities and can provide the necessary patches and updates.  A company that fails to alert its customers to a patch that is necessary to address a software vulnerability is exposing consumers’ sensitive information to unnecessary risk.

Plan how you will deliver security updates for your product’s software. Companies should assume that they will discover software vulnerabilities in the future.  As a result, companies should anticipate the future need to release security updates after the product has launched.  As an example of prudent security practices, the FTC provides the example of a company that manufactures a thermostat that connects to the internet.  The company configures the thermostat’s default settings to install security patches released by the company, thus offering consumers a more secure product by design.

Heed credible security warnings and move quickly to fix the problem.  Due to the ever-evolving nature of technology and cybersecurity threats, Companies should keep up-to-date on new threats, and modify their security requirements accordingly.  In addition, companies must ensure that there is a clear path to reporting potential security vulnerabilities to individuals who are best positioned to take action if necessary.  As an example of a good process for reporting potential security issues, the FTC describes an app developer that receives thousands of emails a day.  Because of the large volume of daily email, the app developer directs customers to a specific email address (separate from the developer’s general email) to report security concerns, and has a knowledgeable employee monitor the mailbox and immediately flag plausible concerns for the company’s security engineers.  The FTC notes that by implementing such a procedure for reporting security concerns, the app developer may be able to mitigate the risk of a security incident.

Secure paper, physical media, and devices

Securely store sensitive files.  In addition to safeguarding digital data, Companies must also implement adequate security protections for paper documents.  For example, a company that stores files with sensitive information in an unsecured storage room has created unnecessary risk that sensitive information could be misappropriated.  A more prudent practice would be for the company to keep such files in a location with restricted access that is kept locked at all times.

Protect devices that process personal information.  If stolen, devices that store and process confidential data may offer easy access to not only the data on the stolen device, but also access to additional information on a company network.  As an illustration of prudent security practices, the FTC describes a data processing firm’s security practices with respect to employee smartphone use.  The company encrypted all data on the phones and required employees to password protect their devices.  In addition, the company safeguarded against security breaches due to lost phones by using device-finding services and applications that would remotely wipe missing devices.  Employees were also trained on the importance of following the mobile device security requirements and the company also stressed the importance of promptly reporting lost phones.

Keep safety standards in place when data is en route.  Just as companies need to safeguard sensitive digital data through encryption, companies must also use reasonable security practices when physically transferring sensitive information.  For example, a company assigned an employee to collect purchase orders with sensitive consumer information from various company locations on a daily basis.  During a personal errand, the purchase orders were stolen from the back of the employee’s car after she left the orders unattended in her car. The FTC notes that the company contributed to the risk of unauthorized access of the information included in the purchase orders because the company failed to train its employees as to how they should safeguard documents while in transit.

Dispose of sensitive data securely. Prudent security practices include document and data destruction protocols.  Companies should remember that businesses subject to the Fair Credit Reporting Act are also subject to requirements regarding the disposal of sensitive data as a matter of law.

Although the FTC’s Stick with Security blog provides guidance regarding practices that contribute to reasonable data security, the FTC stresses that data security cannot be condensed into a one-and-done checklist.  Companies must consider what is reasonable considering the nature of a company’s business, the sensitivity and volume of information collected, the size and complexity of data operations, and the cost of available tools to improve security and reduce vulnerabilities. In addition, companies must remember that security measures that were adequate last year may no longer offer adequate protection from future threats.

OTHER THOUGHT LEADERSHIP POSTS:

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across...

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of,...

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling...

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that...

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use...

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

Influencer marketing, hashtags and proper disclosures were the hot button topic for the Federal Trade Commission (the “FTC”) in 2017, so let’s take a look at just how the FTC has influenced Social Media Influencer Marketing in 2017. First, following up on the more...

Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the third in a series of three articles on the FTC’s Stick with Security blog. Part I and Part II of this series can be found here and here. Over the past 15 years, the Federal Trade...

Apple’s X-Cellent Response to Sen. Franken’s Queries Regarding Facial Recognition Technologies

Apple’s X-Cellent Response to Sen. Franken’s Queries Regarding Facial Recognition Technologies

By Dawn Ingley


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

Recently, I wrote an article outlining the growing body of state legislation designed to address and mitigate emerging privacy concerns over facial recognition technologies.  It now appears that the issue will be examined at the federal level.  In September, Senator Al Franken of Minnesota, concerned that certain Apple technologies would be used to benefit other sectors of its business, as a “big data” profit center or to satisfy law enforcement agency requests, issued a series of pointed questions to Apple regarding its iPhone X’s FaceID.  That letter included the following questions:

  • Is it possible for Apple or a third party to extract faceprint data from iPhone X?
  • How was the FaceID algorithm developed and how did Apple gather data for the algorithm?
  • How does Apple protect against racial, gender or age bias in FaceID?
  • How does FaceID distinguish between an actual face of a person, as opposed to the photograph of that face?
  • Can Apple assure users that it will never share faceprint data?
  • Does FaceID cause the device to continually “look” for a facial profile and in doing so, does it record other faces as well?

The response from Apple, made public on October 17th, was quite illuminating:

  • FaceID works by using iPhone X’s TrueDepth camera to scan and analyze a user’s face based on depth perception maps and two-dimensional technology.  That scan is then authenticated with images stored in iPhone X’s Secure Enclave.
  • Data from the Secure Enclave is never backed up to the cloud, does not leave the device and isn’t even saved in device backups.  Scanned faces are deleted after being used to unlock iPhone X.
  • The neural network that helps to form the algorithm was created from over a billion images from individuals who provided specific consent to Apple.  Further, a broad cross-section of individuals spanning gender, race, ethnicity, and age, was leveraged to create the algorithm.
  • Passcodes will still be available to unlock devices if users choose not to use FaceID.
  • Any third party applications that leverage FaceID for authentication don’t actually access FaceID; rather, those apps are notified only as to whether authentication was approved.

As ranking member on the Judiciary Committee, Subcommitee on Privacy, Technology and the Law, Senator Franken’s foray into technology and privacy matters is not new.  In 2013, he presented a similar set of questions when Apple introduced the iPhone 5S Touch ID fingerprint scanner.   Shortly after that inquiry, Apple published a white paper outlining the steps it had taken with Touch ID to assure Senator Franken that privacy concerns were of the highest priority to Apple.  The collaboration between Senator Franken and Apple is vital in a time when a body of privacy laws to address facial recognition technologies is still emerging and protections are lacking in most jurisdictions.  It will be interesting to see if other technology providers embrace a similar level of transparency in their product rollouts.

OTHER THOUGHT LEADERSHIP POSTS:

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across...

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of,...

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling...

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that...

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use...

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

Influencer marketing, hashtags and proper disclosures were the hot button topic for the Federal Trade Commission (the “FTC”) in 2017, so let’s take a look at just how the FTC has influenced Social Media Influencer Marketing in 2017. First, following up on the more...

Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the third in a series of three articles on the FTC’s Stick with Security blog. Part I and Part II of this series can be found here and here. Over the past 15 years, the Federal Trade...

Pros and Cons of Hiring a Security Rating Agency

Pros and Cons of Hiring a Security Rating Agency

By Jennifer Thompson


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

One can hardly check out any news outlet today without reading or hearing about a security breach.  Experts frequently advocate performing internal assessments to identify security weaknesses.  Commentators tout the importance of assessing the security of the entities with which you do business.  Investors, partners and markets shy away from companies that are not proactive enough with respect to security. Given the multitude of variables involved and security measures available, how can a company convey the effectiveness of its own security program in a meaningful manner? Further, given how fact and business-specific that security is, how can one company compare its own security measures to those taken by another company?  Many companies turn to independent ratings agencies for an objective evaluation and systematized rating.

Security rating agencies are becoming instrumental in helping companies evaluate security risks and potential transactions.  Investors in start-ups will use such ratings to evaluate risks and identify future investment needs of the entity.  Security ratings are a critical part of due diligence review in mergers, acquisitions and joint ventures.  Procurement departments routinely require vendors to obtain ratings before entering into agreements.  Some companies may even request that a rating agency evaluate its own operations to identify weak points and opportunities for improvement.

In compiling the ratings, the rating agencies compile public and private data points, feed them into the agency’s proprietary algorithm and generate a “score.”  Scores can be used to measure one entity’s security efforts against others.  Of course, the rating is only as reliable as the entity providing it, so is it worth it to expend the money on these services?  Similarly, once a score is obtained, can it harm your business?  Will others deem your score too low?  Will the publication of your score actually hamper prospects operations?  Or worse, will having a low score published ultimately make you a more attractive target to would-be hackers?

Fortunately, some forty-odd companies and the US Chamber of Commerce identified the need for suggesting a standardized methodology for the security rating agencies.  In June 2017, these companies and the US Chamber of Commerce issued the Principles for Fair and Accurate Security Ratings (the “Principles”).

The Principles seek to establish guidelines for fair and accurate reporting of security ratings and promote standards for the appropriate use and disclosure of the scores.  The Principles suggest that all security rating agencies should:

  • provide transparency of the methodologies and data used to create the rating;
  • provide a mechanism by which entities that are rated can dispute, correct and/or appeal any rating published by the ratings agencies;
  • provide advance notice of any changes to ratings methodologies so that rated companies are clear on how the procedural changes may affect their scores;
  • remain independent of the entities they rate; and
  • maintain confidentiality of all sensitive information (including information shared during disputes, non-public ratings and other private information).

Hopefully, the Principles will result in greater consistency among rating agencies, increased reliability in the scores and more efficiency in the ratings process itself.  All of these Principles ideally will lead to candid discussions among business partners as to how entities can improve their security and, more importantly, suffer fewer breaches.

Of course, every company must assess whether to have itself rated and how to utilize and share any scores it obtains from the various rating agencies.  But assuming the agency retained to provide the security rating is in compliance with the Principles, at least buyers of these services can be reasonably certain they are receiving a truly objective measure with full opportunity to appeal or clarify any questions with respect to the score.

So, if your entity uses a security rating agency, make sure it is one that is operating in compliance with the Principles for Fair and Accurate Security Ratings espoused by the Chamber of Commerce.

OTHER THOUGHT LEADERSHIP POSTS:

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across...

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of,...

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling...

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that...

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use...

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

Influencer marketing, hashtags and proper disclosures were the hot button topic for the Federal Trade Commission (the “FTC”) in 2017, so let’s take a look at just how the FTC has influenced Social Media Influencer Marketing in 2017. First, following up on the more...

Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the third in a series of three articles on the FTC’s Stick with Security blog. Part I and Part II of this series can be found here and here. Over the past 15 years, the Federal Trade...

Part II of III | FTC Provides Guidance on Reasonable Data Security Practices

Part II of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

This is the second in a series of three articles on the FTC’s Stick with Security blog. Part I and Part III of this series can be found here.

Over the past 15 years, the Federal Trade Commission (FTC) has brought more than 60 cases against companies for unfair or deceptive data security practices that put consumers’ personal data at unreasonable risk.  Although the FTC has stated that the touchstone of its approach to data security is reasonableness, the FTC has faced considerable criticism from the business community for lack of clarity as to as to what it considers reasonable data security.

Earlier this year, FTC Acting Chairman Maureen Ohlhausen pledged greater transparency concerning practices that contribute to reasonable data security.  As a follow-up to Ohlhausen’s pledge, the FTC published a weekly blog over the past few months, Stick with Security, that focuses on the ten principles outlined in its Start with Security Guide for Businesses. In the blog, the FTC uses examples taken from complaints and orders to offer additional clarity on each principle included in the Start with Security guidelines.

This is the second of three articles reviewing the security principles discussed by the FTC in its Stick with Security blog.

Store sensitive personal information securely and protect it during transmission.

Keep sensitive information secure throughout its lifecycle.  Businesses must understand how data travels through their network in order to safeguard sensitive information throughout the entire data life cycle. For example, a real estate company that collected sensitive financial data from prospective home buyers encrypted information sent from the customer’s browser to the company’s servers.   After data had entered the company’s system, however, the data was decrypted and sent in readable text to various branch offices.  Consequently, as a result of such decryption, the company failed to maintain appropriate security through the entire life cycle of the sensitive information being collected by the company.

Use industry-tested and accepted methods.  Although the market may reward products that are novel and unique, the FTC makes clear that when it comes to encryption methods, the FTC expects companies to use industry-tested and approved encryption.  As an example of a company that may not have employed reasonable security practices, the FTC describes an app developer that utilized its own proprietary method to encrypt data.  The more prudent decision would have been to deploy industry accepted encryption algorithms rather than the company’s own proprietary method, which was not industry tested and approved.

Ensure proper configuration.  Strong encryption is necessary, but not enough to protect sensitive data.  For example, the FTC found that a company misrepresented the security of its mobile app and failed to secure the transmission of sensitive personal information by disabling the SSL certification verification that would have protected consumers’ data.   A second example provided by the FTC of problematic configuration involved a travel company that used a Transport Layer Security (TLS) protocol to establish encrypted connections with consumers.  Although the company’s use of the TLS protocol was a prudent security practice,  the company then disabled the process to validate the TLS certificate.  The FTC notes that the company failed to follow recommendations from app developer platform providers by disabling the default validation settings and thus may not have used reasonable data security practices.

Segment your network and monitor who’s trying to get in and out.

Segment your network.  Companies that segment their network may minimize the impact of a data breach.  For example, use of firewalls to create separate areas on a network may reduce the amount of data that is accessed in the event hackers are able to gain access to a network.  The FTC provides the example of a retail chain that failed to adequately segment its network by permitting unrestricted data connections across its stores (e.g., allowing a computer from a store in one location to access employee information from another store).  By allowing unrestricted data connections across locations, hackers were able to use a security lapse in one location to gain access to sensitive data in other locations on the network.

Monitor activities on your network.  Companies should take advantage of the various tools available to alert businesses of suspicious activities, including unauthorized attempts to access a network, attempts to install malicious software and suspicious data exfiltration.

Secure remote access to your network.

               Ensure endpoint security.   Every device with a remote network connection creates a possible entry point for unauthorized access.  Consequently, securing the various endpoints on a network has become increasingly important with the rise in mobile threats.  Companies should establish security rules for employees, clients and service providers, including requirements concerning software updates and patches.  Establishing security protocols is not sufficient alone though, as companies should also verify that the security requirements are being followed.  In addition, companies must continually re-evaluate possible security threats and update endpoint security requirements and controls.

Put sensible access limits in place.  Companies should establish sensible limitations on remote network access.  For example, a company that engaged multiple vendors to remotely install and maintain software on the company’s network provided user accounts with full administrative privileges for each vendor.  The FTC notes that instead of providing all vendors with administrative access, the company should have provided full administrative privileges only to those vendors who truly required such access, and only for a limited period of time.  In addition, the company should have ensured that it could audit all vendor activities on the network, and attribute account use to individual vendor employees.

Part III of this series will discuss the importance of applying sound security practices, the security practices of service providers, procedures to keep security current and the need to secure paper, physical media and devices.

OTHER THOUGHT LEADERSHIP POSTS:

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across...

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of,...

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling...

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that...

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use...

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

Influencer marketing, hashtags and proper disclosures were the hot button topic for the Federal Trade Commission (the “FTC”) in 2017, so let’s take a look at just how the FTC has influenced Social Media Influencer Marketing in 2017. First, following up on the more...

Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the third in a series of three articles on the FTC’s Stick with Security blog. Part I and Part II of this series can be found here and here. Over the past 15 years, the Federal Trade...

Part I of III | FTC Provides Guidance on Reasonable Data Security Practices

Part I of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

This is the first in a series of three articles on the FTC’s Stick with Security blog. Part II and Part III of this series can be found here.

Over the past 15 years, the Federal Trade Commission (FTC) has brought more than 60 cases against companies for unfair or deceptive data security practices that put consumers’ personal data at unreasonable risk.  Although the FTC has stated that the touchstone of its approach to data security is reasonableness, the FTC has faced considerable criticism from the business community for lack of clarity as to as to what it considers reasonable data security.

Earlier this year, FTC Acting Chairman Maureen Ohlhausen pledged greater transparency concerning practices that contribute to reasonable data security.  As a follow-up to Ohlhausen’s pledge, the FTC published a weekly blog over the past few months, Stick with Security, that focuses on the ten principles outlined in its Start with Security Guide for Businesses. In the blog, the FTC uses examples taken from complaints and orders to offer additional clarity on each principle included in the Start with Security guidelines.

This is the first of three articles reviewing the security principles discussed by the FTC in its Stick with Security blog.

Start with Security 

Don’t collect personal information you don’t need.  After a security incident, many businesses realize that collecting sensitive information just because a company has the ability to do so is no longer a good business strategy.  In addition, it is easier for companies to protect a limited set of sensitive data than large amounts of personal information located on a company’s network.  Consequently, a company that limits the data it collects may be better positioned to demonstrate that its security practices are reasonable.  For example, following one security breach that resulted in the exposure of information of over 7,000 consumers, the FTC decided not to pursue a law enforcement action, in part, because the company had deliberately limited the sensitive information it collected.

Hold on to information only as long as you have a legitimate business need.  Companies should routinely review the data it has collected and dispose of data that is no longer needed.  As an example of inadequate data purging practices, the FTC cited the example of a large company that stored personal information collected at recruiting fairs on an unencrypted company laptop. The company used the same laptop at each recruiting event, never removing sensitive information from the laptop.  The company should have, as the FTC points out, removed candidates’ sensitive information that was no longer needed.

Don’t use personal information when it’s not necessary.  The FTC recognizes that companies have legitimate business reasons to use sensitive data, however, it stresses that companies should not use sensitive information in contexts that create unnecessary risks.

Train your staff on your standards – and make sure they’re following through.  Company staff are both the greatest security risk and also a company’s first line of defense against security breaches. Training is not a one-time endeavor – companies must continue to train staff on new security practices and provide refresher training on current company policies.  The FTC also stressed the importance of deputizing staff to provide suggestions and practical advice that C-suite executives may not have.

When feasible, offer consumers more secure choices.  Companies should make it easy for consumers to make choices that result in greater security of their data, and should consider setting default settings for their products at the most protective levels.  As an example of inadequate security practices, the FTC cited a manufacturer that configured the default settings on its routers so that anyone online could gain access to the files on the storage devices connected to the routers.  The manufacturer failed to adequately explain the default settings to consumers, and could have possibly avoided unauthorized access had it configured the default setting in a more secure manner.

Control access to data sensibly.

Restrict access to sensitive data.  Employers should limit the access employees and other individuals have to sensitive data, both through physical access (e.g., locking a desk drawer) or by restricting sensitive network files to a limited number of employees with password protected access.

Limit administrative access.  The FTC compares a company’s need to safeguard and limit access to administrative rights to a bank’s need to safeguard the combination to the bank’s vault.  Limiting the number of employees who have administrative access can reduce a company’s security risk.

Require secure passwords and authentication

               Insist on long, complex and unique passwords and store passwords securely. Companies should require that employees create strong, unique passwords.  In addition, companies should configure consumer products so that consumers are required to change the default password upon first use. Of course, strong passwords are of little use if passwords are not stored properly and are compromised. In addition, Companies can guard against brute force attacks by configuring their network so that user credentials can be suspended or disabled after a specified number of unsuccessful login attempts.

Protect sensitive accounts with more than just a password. Because individuals often use the same passwords for various online accounts, such login credentials can leave companies and consumers vulnerable to credential stuffing attacks.  Companies should consider requiring multiple authentication methods for access to accounts or applications with sensitive data.

Protect against authentication bypass.  If hackers are not able to access their targeted application through the front door, they will look for other available access points.  One way to reduce the risk of authentication bypass is to limit entry to an authentication point that can be monitored by the Company.

Part II will discuss the storage and protection of sensitive information, segmenting your network and securing remote access. Click here for Part II.

OTHER THOUGHT LEADERSHIP POSTS:

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across...

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of,...

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling...

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that...

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use...

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

Influencer marketing, hashtags and proper disclosures were the hot button topic for the Federal Trade Commission (the “FTC”) in 2017, so let’s take a look at just how the FTC has influenced Social Media Influencer Marketing in 2017. First, following up on the more...

Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the third in a series of three articles on the FTC’s Stick with Security blog. Part I and Part II of this series can be found here and here. Over the past 15 years, the Federal Trade...