As a dynamic follow-up to its “Start with Security” guide, the Federal Trade Commission (“FTC”) debuted in July its “Stick with Security” initiative to provide continued guidance to businesses on sound security practices. The initiative has kicked off with a series of Friday blog posts, each emphasizing a security best practice drawn from the FTC’s closed investigations, its law enforcement actions, and questions it has received from businesses. In the first blog post, published July 21, 2017, the FTC revealed some of the themes that resulted in the FTC not taking law enforcement action. The themes included:
- The company was in compliance with the FTC’s “Start with Security” guidance;
- There was limited or little risk of consumer injury, for example, because the data breach involved encrypted data;
- Law enforcement was not in the public interest or the best use of resources, for example, if the company involved in the data breach had only collected discrete, non-sensitive information;
- Other agencies were more suited to an investigation or enforcement; and
- The risk of a data breach was principally theoretical, for example, if the identified potential vulnerabilities carried little risk because exploitation would require a high level of sophistication and a specific (and unlikely) confluence of events.
Since the debut, each new post in the series encourages a straightforward security practice and illustrates it with relatable hypotheticals using businesses of all flavors, across industries, and of varying levels of sophistication. Topics correspond to the principles in the “Start with Security” guide and include establishing and maintaining security practices; sensibly controlling data access; requiring strong passwords and authentication; storing and protecting sensitive personal information; segmenting and monitoring your network; securing remote network access; applying sound practices when developing new products; ensuring service providers are observing reasonable security measures; establishing security procedures; and, most recently, securing paper, physical media, and devices.
While companies whose biggest customer is the federal government generally may not worry much about FTC investigations, government contractors and companies in the commercial space alike can benefit from keeping an eye on the FTC’s ongoing guidance. Each digestible post provides practical insights into specific choices a company can make that are likely to mitigate what could otherwise amount to a serious data breach. For additional information, visit the FTC’s Business Blog and look for the “Stick with Security” series header.