Part II of III | FTC Provides Guidance on Reasonable Data Security Practices

Published on JD Supra on October 18, 2017

This is the second in a series of three articles on the FTC’s Stick with Security blog. Part I and Part III of this series can be found here.

Over the past 15 years, the Federal Trade Commission (FTC) has brought more than 60 cases against companies for unfair or deceptive data security practices that put consumers’ personal data at unreasonable risk.  Although the FTC has stated that the touchstone of its approach to data security is reasonableness, the FTC has faced considerable criticism from the business community for lack of clarity as to as to what it considers reasonable data security.

Earlier this year, FTC Acting Chairman Maureen Ohlhausen pledged greater transparency concerning practices that contribute to reasonable data security.  As a follow-up to Ohlhausen’s pledge, the FTC published a weekly blog over the past few months, Stick with Security, that focuses on the ten principles outlined in its Start with Security Guide for Businesses. In the blog, the FTC uses examples taken from complaints and orders to offer additional clarity on each principle included in the Start with Security guidelines.

This is the second of three articles reviewing the security principles discussed by the FTC in its Stick with Security blog.

Store sensitive personal information securely and protect it during transmission.

Keep sensitive information secure throughout its lifecycle.  Businesses must understand how data travels through their network in order to safeguard sensitive information throughout the entire data life cycle. For example, a real estate company that collected sensitive financial data from prospective home buyers encrypted information sent from the customer’s browser to the company’s servers.   After data had entered the company’s system, however, the data was decrypted and sent in readable text to various branch offices.  Consequently, as a result of such decryption, the company failed to maintain appropriate security through the entire life cycle of the sensitive information being collected by the company.

Use industry-tested and accepted methods.  Although the market may reward products that are novel and unique, the FTC makes clear that when it comes to encryption methods, the FTC expects companies to use industry-tested and approved encryption.  As an example of a company that may not have employed reasonable security practices, the FTC describes an app developer that utilized its own proprietary method to encrypt data.  The more prudent decision would have been to deploy industry accepted encryption algorithms rather than the company’s own proprietary method, which was not industry tested and approved.

Ensure proper configuration.  Strong encryption is necessary, but not enough to protect sensitive data.  For example, the FTC found that a company misrepresented the security of its mobile app and failed to secure the transmission of sensitive personal information by disabling the SSL certification verification that would have protected consumers’ data.   A second example provided by the FTC of problematic configuration involved a travel company that used a Transport Layer Security (TLS) protocol to establish encrypted connections with consumers.  Although the company’s use of the TLS protocol was a prudent security practice,  the company then disabled the process to validate the TLS certificate.  The FTC notes that the company failed to follow recommendations from app developer platform providers by disabling the default validation settings and thus may not have used reasonable data security practices.

Segment your network and monitor who’s trying to get in and out.

Segment your network.  Companies that segment their network may minimize the impact of a data breach.  For example, use of firewalls to create separate areas on a network may reduce the amount of data that is accessed in the event hackers are able to gain access to a network.  The FTC provides the example of a retail chain that failed to adequately segment its network by permitting unrestricted data connections across its stores (e.g., allowing a computer from a store in one location to access employee information from another store).  By allowing unrestricted data connections across locations, hackers were able to use a security lapse in one location to gain access to sensitive data in other locations on the network.

Monitor activities on your network.  Companies should take advantage of the various tools available to alert businesses of suspicious activities, including unauthorized attempts to access a network, attempts to install malicious software and suspicious data exfiltration.

Secure remote access to your network.

               Ensure endpoint security.   Every device with a remote network connection creates a possible entry point for unauthorized access.  Consequently, securing the various endpoints on a network has become increasingly important with the rise in mobile threats.  Companies should establish security rules for employees, clients and service providers, including requirements concerning software updates and patches.  Establishing security protocols is not sufficient alone though, as companies should also verify that the security requirements are being followed.  In addition, companies must continually re-evaluate possible security threats and update endpoint security requirements and controls.

Put sensible access limits in place.  Companies should establish sensible limitations on remote network access.  For example, a company that engaged multiple vendors to remotely install and maintain software on the company’s network provided user accounts with full administrative privileges for each vendor.  The FTC notes that instead of providing all vendors with administrative access, the company should have provided full administrative privileges only to those vendors who truly required such access, and only for a limited period of time.  In addition, the company should have ensured that it could audit all vendor activities on the network, and attribute account use to individual vendor employees.

Part III of this series will discuss the importance of applying sound security practices, the security practices of service providers, procedures to keep security current and the need to secure paper, physical media and devices.

  •