Last month, the FTC issued new “guidance” on data security for companies that collect, store, and use consumer data. This guidance “summarizes the lessons learned from more than 50 law enforcement actions the FTC has announced so far.” The full text of the FTC’s Start with Security: A Guide for Business can be found athttps://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business. Considering the implications that a security breach can result in, it is important that employers have in place policies and procedures that direct employees on how they should handle and use sensitive information.
The ten lessons to learn from FTC enforcement actions are summarized as follows:
- Start with security. Factor security into the decision making in every part of your business – personnel, sales, accounting, IT. Don’t collect personal information you don’t need such as consumer passwords. Hold onto this information only as long as you need it; if the sales transaction is complete, get rid of it. And don’t use personal information when it’s not necessary, such as training sessions.
- Control access to data sensibly. Keep the data accessible on a “need to know” basis. Restrict employees’ access to sensitive information stored on your network and don’t give every employee administrative control over your customer’s sensitive information.
- Require secure passwords and authentication. Businesses may want to consider protections such as a two-factor authentication. Don’t make it easy for unauthorized persons to guess administrative passords; “1234” is not a secure password. Store passwords securely, not in clear, readable text on in cookies. Guard against brute force attacks, such as a hacker’s use of automated programs to mine for passwords. Restrict the number of login attempts and suspend or disable accounts after repeated login attempts fail.
- Store sensitive personal information securely and protect it during transaction. Use strong cryptography to secure confidential material during storage and transmission. Keep sensitive information secure through its lifecycle, make sure your service cannot easily decrypt the information. Use industry-tested and accepted methods for encryption.
- Segment your network and monitor who’s trying to get in and out. Use tools like firewalls and intrusion detection to limit access between computers and monitor your network activity. Limit computers from one in-store network from connecting to computers on other in-store and corporate networks. Monitor activity on your network to detect unauthorized access early.
- Secure remote access to your network. Make sure the cellphones you give out to employees are properly secured. And don’t allow unlimited access to third parties, such as clients, make sure they have firewalls and updated antivirus software, restrict connections to specified IP addresses and grant temporary, limited access to third parties.
- Apply sound security practices when developing new products. Think about security during the development process of new apps, software, etc. This should include training your engineers in securing code, following platform guidelines for security, verifying that privacy and security features work, and testing for common vulnerabilities.
- Make sure your service providers implement reasonable security measures. Before hiring an outside service provider, tell them about your security expectations and ensure that they can implement appropriate security measures. It helps to put the appropriate security standards in your contract with the provider and to verify that the service provider implements an information collection system consistent with your requirements.
- Put procedures in place to keep your security current and address vulnerabilities that may arise. Securing your software and networks is an on-going process. You need to update and patch third-party software when it becomes outdated, heed credible security warnings and act quickly to fix them.
- Secure paper, physical media, and devices. The lessens for network security apply equally to paper and physical media such as hard drives, laptops, flash drives and disks. Don’t allow sensitive consumer information to be easily accessible. Protect devices that process personal information. And keep safety standards in place when the data is en route. For example, use mailing methods with tracking capability and limit your employees’ ability to take sensitive files outside of the office.
Employers should keep these factors in mind when hiring and terminating staff. At the hiring or promotion stage, in addition to having strong consistent policies already in place, confidentiality agreements can be instituted to further protect data and provide an additional means of legal relief. Additionally, at the termination stage, make sure that you have the ability to wipe data from separating employees’ devices, and the ability to change passwords/access so that you don’t have employees breaching security as they are being kicked out the door.