The Federal Trade Commission has issued new guidance on data security for companies that collect, store and use consumer information, gleaned from the more than 50 enforcement actions brought by the agency over the past decade. The guidance, "Start with Security: A Guide for Business," distills 10 "lessons learned" from data security lapses, illustrating each lesson with a specific settlement.
1. Start with security. Securing confidential consumer information must be part of the decision-making process of every part of the organization, including personnel, sales, accounting and information technology. Businesses also should make informed choices about what information to collect, how long to keep that information and when to use it. The FTC suggests that "less" is preferable in all of these areas, advising against collecting "unnecessary" personal information, storing that information any longer than needed and using personal information in situations where it isn't warranted.
2. Control access to data sensibly. Employees should have access to consumer information on a "need to know" basis according to their job functions, and controls can take the form of anything from password-protected user accounts that limit network access to locked file cabinets.
3. Require secure passwords and authentication. Strong authentication procedures help ensure that only authorized individuals are able to access sensitive data. According to the FTC, however, companies too often fail to follow basic precautions like insisting that employees and customers use complex and unique passwords and ensuring passwords are securely stored. The agency also recommends companies maintain security of their authentication mechanisms by regularly testing for common vulnerabilities.
4. Store sensitive personal information securely and protect it during transmission. In addition to storing personal information, many companies transmit it to others. The FTC recommends using strong cryptography to secure confidential material during storage and transmission. The agency also advises that businesses must secure sensitive information for the entire duration of its use - from transmissions from the customer's web browser to the business's website server during collection, and during storage and retransmission or use.
5. Segment networks and monitor who is trying to get in and out.The FTC recommends tools including firewalls to segment business networks, and intrusion detection and prevention tools to monitor networks for malicious activity.
6. Secure remote access to networks. According to the FTC, a mobile workforce creates increased security risks, and businesses that give employees, clients or service providers remote access to their networks must secure those access points, including ensuring appropriate endpoint security by insisting that clients take basic security measures such as installing firewalls and updated antivirus software before accessing their networks and putting sensible access limits in place, such as limiting third-party access to networks by restricting connections to specified IP addresses or granting temporary, limited access.
7. Apply sound security practices when developing new products.A new app or software may require customers to store or send sensitive information. FTC cases involving product development, design, testing and rollout indicate that some businesses didn't think through how their new product would handle this data securely. The FTC recommends training engineers in secure coding practices to avoid vulnerabilities, following platform guidelines for security, verifying that privacy and security features work as advertised to customers, and adequately testing products for well-known vulnerabilities.
8. Make sure service providers implement reasonable security measures. The guidance recommends that companies investigate and monitor the data security practices of any third-party providers, communicating clear expectations about security (including making those expectations part of the service contract), selecting providers that are able to implement the appropriate security measures and verifying compliance.
9. Put procedures in place to keep security current and address vulnerabilities that may arise. The FTC advises that securing software and networks is an ongoing process and that detecting and addressing vulnerabilities in a product or third-party software requires constant vigilance. Once a problem has been detected, businesses must move quickly to fix it.
10. Secure paper, physical media and devices. The security of physical media, including paper files, hard drives, laptops, flash drives and disks, is as critical as network security, and the FTC recommends that businesses securely store sensitive files and not leave them out in the open or keep them in unsecured areas. Organizations must also protect devices that collect and process personal information, like PIN entry devices, and keep safety standards in place when sensitive data is en route by tracking mailed packages, limiting instances when employees need to travel with sensitive data in their possession, and training employees to secure sensitive data when traveling.