The Federal Trade Commission hosted its fourth Start with Security event in Chicago, IL on June 15, 2016. This event was the latest installment of the Start with Security business education initiative launched last summer to engage in proactive outreach with the business community on information security standards and FTC expectations at a time when the FTC’s authority to reactively regulate data security was being challenged in federal court. In addition to the Start with Security events, the FTC also responded by synthesizing their 50+ data security settlements into “10 practical lessons” to guide companies looking to proactively comply with FTC data security expectations.
FTC representatives at the event included FTC Commissioner Maureen Ohlhausen; the Acting Director for the Midwest Region, Todd Kossow; the Enforcement Director for the FTC Office of Technology Research and Investigation, Steve Wernikoff; and three Division of Privacy and Identity Protection attorneys: Cora Han, Jim Trilling, and Andrea Arias.
The event was targeted towards startups and small businesses and focused more on technology and business considerations than on legal principles. However, the topics chosen by FTC representatives provide clues about which areas of data security the FTC thinks are important, especially for new companies that lack the data security resources available to bigger companies.
Some takeaways from the event include the following:
- Data security makes good business sense: Panelists emphasized that there is now plenty of data about the costs of data breaches to support the claim that investments in data security make good business sense. Since the FTC focuses on the “reasonableness” of data security practices during enforcement actions, businesses should know that there may be a presumption that reasonable businesses will invest in data security.
- Data security should be a central part of your business culture: Data security should not be an afterthought for businesses. Businesses should focus on creating a security-aware culture, engage in threat modeling to identify and resolve data security risks, and leverage existing data security tools and the expertise of the data security community.
- Data security should be built into product development: For businesses developing software (or Internet of Things and other connected products), data security should be built into all stages of the product development. Businesses should invest in static analysis, dynamic analysis, penetration testing, and unit testing. Some businesses might even consider implementing bug bounty programs to incentivize third parties to report bugs.
- Data security should be central in your relationship with third party providers: Data security considerations should inform choices of, and relationships with, third party providers. This includes third party technological or cloud-based services, but also includes any third parties that can affect data security (such as the HVAC vendor in the Target data breach case.) When choosing third party providers, businesses should conduct due diligence and ensure that data security provisions are included in contracts.
- Data security should inform your network and authentication choices: Because many data breaches happen through phishing, brute force attacks, and authentication bypass vulnerabilities, businesses should focus on data security when making network and authentication choices. This should include a focus on training employees and developing processes to ensure that data security policies are being consistently enforced.