The Federal Trade Commission (“FTC”) has launched a new initiative, dubbed “Start with Security,” which is focused on assisting businesses in developing greater security to protect consumers’ personal information. To kick off the initiative, the FTC issued Protecting Personal Information: A Guide for Business, which is based on the lessons learned from the approximately fifty (50) data security cases that the FTC has brought against companies throughout the years. In the Guidance, the FTC sets forth the following ten steps that it believes are key to protecting consumer information and provides guidance regarding each:
- Start with security
- Control access to data sensibly.
- Require secure passwords and authentication.
- Store sensitive personal information securely and protect it during transmission.
- Segment your network and monitor who’s trying to get in and get out.
- Secure remote access to your network.
- Apply sound security practices when developing new products.
- Make sure your service providers implement reasonable security measures.
- Put procedures in place to keep your security current and address vulnerabilities that may arise.
- Secure paper, physical media, and devices.
The FTC focuses on building security into every aspect of the decision-making process within the company, whether collecting information from employees or customers. The FTC further urges companies to evaluate whether they need the information that they intend to collect, and reminds companies that persons cannot steal information that a company does not hold. In each step, the FTC provides a reference to a complaint that it issued against a particular company and explains how it believes certain situations could have been avoided.
In addition to the written guidance, beginning in September, the FTC will convene a series of conferences across the country, with the first event to be held in San Francisco on September 9, to address these issues. The September event is aimed at start-ups and developers, and will bring together experts to discuss security by design, common security vulnerabilities, and vulnerability response, among other topics.