Yesterday the FTC released a guide for businesses based on lessons learned from the more than 50 reported FTC enforcement actions. This new guide, “Start With Security: A Guide For Business” outlines a general “standard of care” for keeping sensitive data secure. It includes ten general practices, each of which is based on lessons learned from FTC enforcement actions:

  1. Start with security: Factor security into decision-making at every department and level of your business. A foundational principle is that no one can steal information you don’t have, so don’t collect personal information you don’t need. If you must collect information, only keep it as long as there is a legitimate business need for it, and only use it when it is necessary to do so.
  2. Control access to data: Only allow access to information on a “need to know” basis. If employees don’t need access to personal information as part of their job, they should not have access to it. Always tailor access to personal information based upon employee occupational needs.
  3. Require secure passwords and authentication: Insist on complex and unique passwords, and ensure that they are stored securely – perhaps requiring two-factor authentication. Guard against brute force attacks by disabling user credentials after repeated unsuccessful login attempts, and protect against authentication bypass by regularly testing for common vulnerabilities.
  4. Store sensitive personal information securely and protect it during transmission: Use strong encryption to secure sensitive information throughout its lifecycle, use industry-tested and accepted methods to do so, and ensure that the implementation of encryption is properly configured.
  5. Segment your network and monitor who’s trying to get in and out: Use tools, like firewalls, to segment your network, limiting access between devices on your network, and limiting access between those devices and the Internet. Use tools, like intrusion detection and intrusion prevention systems, to monitor the flow of data on your network.  It is as important to know what is getting into your network as it is to know what is leaving or being exfiltrated from it.
  6. Secure remote access to your network: Your network security is only as strong as the device with the weakest security, and this typically occurs on a device that can be accessed remotely. Secure all devices that can be accessed remotely, and put sensible access limits in place. This may include limiting third-party access, restricting connections to specified IP addresses, or granting only temporary, limited access.
  7. Apply sound security practices when developing new products: “Bake in” security in the development, design, testing and roll-out of new apps or innovative software. Train your engineers in secure coding, follow platform guidelines for security, verify that privacy and security features work, and test for common vulnerabilities.
  8. Make sure your service providers implement reasonable security measures: Insist that appropriate security safeguards are written into contracts with third party providers and verify that representations about compliance are manifested in reality.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise: Regularly update and patch third-party software to ensure that known vulnerabilities are eliminated, and develop systems to identify and quickly respond to credible security warnings.
  10. Secure paper, physical media, and devices: Securely store sensitive files, protect devices that process personal information, keep safety standards in place when data is enroute, and dispose of sensitive data securely.

The FTC released its guide as it announced a series of conferences to be held across the country to promote good data security practices.   The first event will be held on September 9th in San Francisco.