Why it matters

The Federal Trade Commission (FTC) kicked off a new educational initiative to provide guidance to businesses in the area of data security. Based on the lessons learned from more than 50 of the agency's data security cases, the FTC's "Start With Security" brochure offers 10 "key steps" to effective data security. To promote the initiative, the agency will host conferences across the country, beginning with a September 9 event in San Francisco and followed by a November 5 gathering in Austin, Texas. "Although we bring cases when businesses put data at risk, we'd much rather help companies avoid problems in the first place," said Director of the FTC's Bureau of Consumer Protection Jessica Rich. The guidance is illustrated by various FTC actions and provides "plain language explanations of the security principles at play."

Detailed discussion

To provide guidance to businesses in the area of data security, the Federal Trade Commission (FTC) has launched a new initiative.

"Start With Security" includes tips in the form of a 10-step publication as well as a series of conferences to be held by the agency across the country. First stop: San Francisco in September, followed by Austin in November. Each event will have a slightly different focus, with the inaugural conference focused on start-ups and developers to discuss issues like security by design, strategies for secure development, common security vulnerabilities, and vulnerability response.

The FTC drew 53 of its data security cases to develop 10 key steps to effective data security. "The document is designed to provide an easy way for companies to understand the lessons learned from those previous cases," the agency explained. A new, one-stop website consolidating the Commission's data security information was established at www.ftc.gov/datasecurity.

The first step: start with security. "Factor it into the decisionmaking in every department of your business—personnel, sales, accounting, information technology, etc.," the agency advises. Don't collect personal information that isn't necessary, hold on to information only as long as a legitimate business need exists, and don't use personal information when it's not necessary.

Once data has been collected, be careful with it, the agency recommends in step two, and control access to data sensibly. Put controls in place, such as separate user accounts to limit access to the places where personal data is stored. Administrative access should be limited, a lesson learned from an action taken against Twitter after the Commission asserted that almost all of Twitter's employees had administrative control over Twitter's system, including the ability to reset user account passwords, view users' nonpublic tweets, and send tweets on users' behalf.

Companies should require secure passwords and authentication, the FTC urges in step three. Insist on complex and unique passwords, store passwords securely (consider two-factor authentication, for example), guard against brute force attacks (by suspending or disabling user credentials after a certain number of unsuccessful login attempts), and protect against authentication bypass.

Storing sensitive data can be a business necessity, the FTC acknowledges. But store it securely and protect it during transmission, the agency recommends in step four. Information should remain secure throughout its life cycle, and businesses should adopt industry-tested and accepted methods of security.

In step five, the agency suggests that businesses segment their networks and monitor who is trying to get in and out. Tools like firewalls can limit access between computers on the network as well as the Internet, and intrusion detection and prevention tools can keep an eye on a network for malicious activity. In a case against DSW, the FTC alleged that DSW failed to sufficiently limit computers from one in-store network from connecting to computers on other in-store and corporate networks, allowing hackers to use one in-store network to connect to and access other in-store and corporate networks. "Not every computer in your system needs to be able to communicate with every other one," the FTC advises.

With an increasingly mobile workforce, businesses should secure remote access to their networks. Don't activate a remote login account for a business client without first assessing the business's security, the FTC explains in step six, a lesson illustrated by the Premier Capital Lending case in which the FTC alleged that the company activated a remote login account for a client without assessing the business's security, allowing hackers to access consumer's personal information. Install antivirus programs and place sensible access limits on third-party access, the FTC suggests.

Step seven addresses the development of new products. Apply sound security practices from the very beginning through development, design, testing, and rollout, the FTC stressed, from engineers trained in secure coding to verifying that privacy and security features adopted actually work to testing for common vulnerabilities.

A subject of much concern: third parties. To ensure that service providers implement reasonable security measures, step eight instructs businesses to make security standards part of contracts with vendors—and then verify compliance, building oversight into the process. Upromise faced an enforcement action from the FTC when it allegedly failed to verify that a service provider implemented a collection program of consumers' browser information that was consistent with Upromise's privacy and security policies, the agency noted.

In step nine, the agency recommends that businesses adopt procedures to keep security current and address vulnerabilities that may arise. "Securing your software and networks isn't a one-and-done deal," the FTC explained. "It's an ongoing process that requires you to keep your guard up." Apply updates and patches as they are issued and keep an ear to the ground for credible security warnings, perhaps with a dedicated e-mail address to receive and address vulnerability reports in order to flag issues for security staff.

Finally, the guidance provided a reminder to secure paper, physical media and devices. Even in the digital age, physical safety remains an important consideration, the agency said, so don't leave sensitive files in boxes in the garage or lying around the office. Devices should also be protected (don't leave laptops, backup tapes, or external hard drives with sensitive information in cars, particularly if the devices are unencrypted) and when disposing of sensitive data, businesses should do so in a secure fashion—shredding or burning physical documents or wiping devices—instead of tossing them in a dumpster.

To read the "Start With Security" guidance, click here.