On June 30, 2015, the Federal Trade Commission (“FTC”) released a report entitled “Start with Security: A Guide for Business.” 1 The report summarizes certain security practices that the FTC has identified in its more than 50 enforcement actions pertaining to data security. The report divides these security practices into the following categories: (1) collection, use, and disposal of personal information, (2) access control, (3) authentication practices, (4) encryption, (5) network segmentation and monitoring, (6) remote access, (7) product development, (8) service providers, (9) updating procedures, and (10) paper, physical media, and devices.
The report encourages businesses to adopt a number of security practices within each category. Specifically, the report recommends that businesses limit their collection of personal information to only that information for which they have a business need, that they dispose of personal information once they no longer have a business need for it, and that they substitute fictitious information for personal information whenever possible. The report also encourages businesses to limit access to personal information and administrative access to only those employees who have a business need for such access. The report further recommends that businesses implement strong authentication procedures, which should include developing a password policy that requires employees to use complex passwords, prohibiting the storage of user credentials in clear text, implementing a policy of suspending or disabling an account after repeated failed login attempts to guard against brute force attacks, and protecting against authentication bypass.
The report further recommends that businesses encrypt personal data from the moment they collect it until the moment they destroy it, use industry-tested forms of encryption, and make sure that the encryption is properly configured. According to the report, businesses should segment their networks so that they can provide increased security for particularly sensitive information, and they should implement intrusion detection technology so that they can identify and prevent attacks on the network. Businesses should also require that individuals with remote access to their network implement basic endpoint security, such as using a firewall and antivirus software, and they should limit the level of access that a third party can have within their network.
Additionally, the report recommends that businesses that develop products and services should ensure that their software engineers are trained in secure coding practices, that they follow the secure development guidelines set by the platform when applicable, that they verify that any privacy and security features work as intended, and that they test for common vulnerabilities. The report also encourages businesses to supervise the security practices of their service providers. Businesses are encouraged to incorporate appropriate security requirements into their contracts with third parties, and to conduct regular oversight of their service providers’ security practices. Business should also regularly update their security with the timely implementation of software updates and patches and respond quickly to fix any publicly announced vulnerabilities. Finally, the report encourages businesses to protect paper records and portable media by securely storing records and devices, implementing secure transportation practices when transportation of portable media is necessary, and implementing secure data disposal procedures.