The Federal Trade Commission released “Start with Security: A Guide for Business” on June 30, 2015. The guide contains ten best practices for addressing issues of data security based on lessons learned from the FTC’s 53 data-security actions to date. Specifically, it identifies “vulnerabilities” that could affect businesses of all sizes and provides some “practical guidance on how to reduce the risks [those vulnerabilities] pose.”
The guide’s pointers include:
- Start with security.
- Control access to data sensibly.
- Require secure passwords and authentication.
- Store sensitive personal information securely and protect it during transmission.
- Segment your network and monitor who’s trying to get in and out.
- Secure remote access to your network.
- Apply sound security practices when developing new products.
- Make sure your service providers implement reasonable security measures.
- Put procedures in place to keep your security current and address vulnerabilities that may arise.
- Secure paper, physical media, and devices.
The Commission has also sprinkled the guide with various cautionary tales gleaned from its many enforcement actions. For instance, in its advice on “control[ling] access to data sensibly,” the Commission highlights a previous action against Twitter for granting nearly all of its employees administrative control over Twitter’s network. This practice, according to the Commission, “increased the risk that a compromise of any of its employees’ credentials could result in a serious breach.” Thus, in the guide, the Commission encouraged businesses to “ensur[e] that employees’ access to the system’s administrative controls was tailored to their job needs.”
In adopting this guide and these examples, the Commission stressed that “no findings have been made by a court” in the 53 data-security cases and that “the specifics of the [Commission’s] orders apply just to those companies.” It is important to note, however, that in other litigation the Commission has argued that such complaints and settlements provide constitutionally adequate notice that a company’s data-security practices may be considered unfair acts or practices under 15 U.S.C. § 45. See Brief for the Federal Trade Commission, FTC v. Wyndham Hotels & Resorts, LLC, 48–49 (3d Cir., pending) (No. 14-3514). Furthermore, in the same litigation, the Commission has contended that a 2007 Business Guide provided sufficient and adequate notice that Wyndham’s failure to take specific actions would be considered unfair.
Given this backdrop and position by the Commission, businesses would be well served by evaluating their data-security practices in light of the Commission’s prior complaints and this guide, even if the complaints, in and of themselves, do not apply directly to the broader business community.