On November 5, 2015, the Federal Trade Commission ("FTC") convened a workshop in Austin, Texas entitled "Start with Security." The workshop was the second event held by the FTC focusing on providing startup businesses with practical resources and strategies to implement effective data security measures. FTC Commissioner Terrell McSweeny opened the workshop by advising companies that market the privacy and security features of their products that they must live up to their claims. She also encouraged companies to address well-known vulnerabilities and integrate best practices throughout the product development and design processes.
The workshop included presentations from four panels. The first panel discussed how startups can build a culture of security. The panelists discussed the importance of limiting data collection from consumers and encouraged companies to provide better information security training for their employees. They also recommended that companies implement a risk management framework to provide employees with a clear reporting path for potential security vulnerabilities. The second panel addressed methods to test security and identify vulnerabilities in the high-growth startup environment. One panelist suggested that security professionals should send security alerts only when necessary. The panelist further suggested that such alerts should provide clear, concise information about the vulnerability and should use language that is accessible to non-security personnel when presenting solutions. Another panelist recommended that startups automate routine security assessments and deploy continuous testing technologies.
The third panel of the workshop focused on the potential security risks of using third-party codes or services. One panelist recommended that companies using third-party service providers include security requirements in their contracts with vendors to ensure that these vendors are accountable for addressing future security vulnerabilities. Another panelist encouraged companies to adopt a "vulnerability coordinate maturity model" and to seek guidance from proven industry standards. Finally, in the fourth panel, panelists discussed the use of website encryption and multifactor authentication. Panelists encouraged startups to adopt these tools and noted that their use does not significantly limit a website's performance. The FTC will hold its third "Start with Security" workshop on February 9, 2016 in Seattle, Washington. The workshop will focus on the measures small companies can take to secure their applications and products.