The Federal Trade Commission has released new guidance, called “Start with Security,” intended to assist businesses to improve their data security practices based on lessons learned from its 53 data security cases to date.  Issued on June 30, 2015, the guidance “distill[s] the facts of those cases down to their essence” in ten “lessons to learn that touch on vulnerabilities that could affect your company.”

The ten lessons are as follows:

  1. Start with security.  The FTC advises businesses to factor security into its business processes from the beginning.  It also reminds businesses not to collect personal information they do not need or to hold on to such information longer than necessary for business purposes.  Finally, businesses should not use personal information unless necessary for a business purpose.  If the use of personal information is avoidable, then such use should be avoided.
  2. Control access to data sensibly.  If personal information is collected and used for legitimate purposes, the FTC advises businesses to take reasonable steps to ensure the security of the data.  This includes restricting access to the data based on job roles and limiting administrative access rights to users who need such access to perform their job functions.
  3. Require secure passwords and authentication.  The FTC provides tips on strong authentication procedures and password hygiene, including requiring complex and unique passwords (and providing training on common password pitfalls); storing passwords securely (i.e., not in clear text); considering implementing additional password protections such as multi-factor authentication; requiring account lock-outs after a small number of attempted failed authentications to prevent brute force attacks; and regularly testing for known vulnerabilities that can be exploited to circumvent authentication requirements.
  4. Store sensitive personal information securely and protect it during transmission.  The Commission advises businesses to secure data throughout its lifecycle – not just for portions of it.  Businesses should also utilize proven, industry-tested, and widely accepted technologies to protect their data.  Along the same lines, businesses should take steps to ensure that technologies they implement to protect data are configured properly.
  5.  Segment your network and monitor who’s trying to get in and out.  In terms of network design, the FTC advises businesses to employ network segmentation to store sensitive data in a location that is not accessible by users and devices that do not have a legitimate business need.  Moreover, the Commission advises businesses to monitor their networks for suspicious activity to reduce the risk of sensitive data being accessed and/or exfiltrated without authorization.
  6. Secure remote access to your network.  Businesses should ensure endpoint security is in place on all devices with remote access to their networks, such as firewalls and up-to-date anti-malware software.  Likewise, companies should place limitations on third-party (e.g., service provider) remote access to their networks, such as by restricting connections to certain IP addresses or granting temporary, limited access on an as-needed basis.
  7. Apply sound security practices when developing new products.  For software developers, the FTC recommends taking security into consideration early in the development process.  Specifically, the Commission recommends training engineers on secure coding practices; ensuring that platform guidelines on security features and best practices are followed; testing products to ensure they work as promised or advertised; and testing products for common or reasonably foreseeable vulnerabilities, such as those identified in the Open Web Application Security Project.
  8. Make sure your service providers implement reasonable security measures.  Just as it is key for businesses to implement reasonable security practices, it is likewise essential that businesses’ service providers do the same – especially those with access to personal information.  The FTC advises businesses to incorporate security standards and security-oriented representations and warranties into contracts and service agreements, as well as to build oversight of service provider security practices into these agreements.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.  The Commission emphasizes that reasonable data security requires ongoing activities such as implementing patches and other software upgrades (including updates to anti-malware signatures) as they are issued by third-parties.  Likewise, the FTC recommends that software developers have a dedicated process for receiving reports from third-parties about potential security vulnerabilities as well as for addressing such vulnerabilities in a reasonably prompt manner.
  10. Secure paper, physical media, and devices. Finally, the FTC emphasizes that security considerations extend to paper and physical media as well.  This includes implementing documented security measures for papers containing sensitive information; encrypting laptop hard drives and other transportable electronic media; using a mailing method that allows for tracking; and generally minimizing the instances in which employees take sensitive data outside of secure facilities and implementing adequate security measures in those instances when transporting such materials is determined to be legitimately necessary.  Businesses are also advised to dispose of papers or physical media containing sensitive information in a secure fashion, such as through shredding, burning, or pulverizing documents and by wiping electronic media with available technologies to ensure the data cannot be recovered or read.  In addition, the Commission specifically notes that attacks targeting point-of-sale devices are now “common and well-known, and business should take reasonable steps to protect such devices from compromise.”  This latter advice may be particularly noteworthy as attacks targeting point-of-sale devices are becoming increasingly common.

In addition to issuing this new guidance, the Commission announced on June 30 that the “Start with Security” initiative would also include a series of conferences aimed at small and medium businesses in various industries across the country.  The conferences are intended to provide these businesses “practical tips and strategies for implementing effective data security” measures and thereby avoid scrutiny from the Commission.  According to Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, “[a]lthough we bring cases when businesses put data at risk, we’d much rather help companies avoid problems in the first place.”

The first conference, aimed at start-ups and developers, is scheduled to take place on September 9, 2015, at the University of California Hastings College of Law in San Francisco, and will “bring together experts to provide information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response.”  The second conference is scheduled to take place on November 5, 2015 at the University of Texas Robert C. Strauss Center for International Security and Law in Austin.