The Federal Trade Commission (“FTC”) has published new guidance that “summarizes lessons learned” from the FTC’s 50-plus data security settlements while also announcing a series of data security conferences. In the new guidance titled “Start With Security: A Guide for Business,” the FTC acknowledges that the data security requirements contained in the settlements apply only to the affected companies. However, the settlements—and the FTC’s distillation of them—reveal regulatory expectations and identify risks that can affect companies of all types and sizes. In this post, we summarize the FTC’s new guidance and provide details on the FTC’s data security conferences happening this fall.

Addressing the expectations revealed in the guidance may not eliminate all data security risk, but the guidance is a useful resource for assessing data security programs. For those looking to explore the FTC’s data security materials on their own, the FTC announced a new “at-a-glance” site where key FTC materials are available.

The FTC identified ten lessons from its data security settlements. We summarize the FTC’s expectations and provide brief descriptions of some of the settlements from which they derive:

  1. Start with security. Companies should make conscious choices about the kind of data they collect, how long they keep it, and how they allow access to it.
  • RockYouallegedly collected users’ email addresses and passwords unnecessarily and thereby increased the risk of unauthorized access to email accounts;
  • Accretiveallegedly used consumers’ personal information in employee training sessions, and did not remove the information from employees’ computers after the sessions were over; and
  • foru Internationalallegedly allowed service providers to access sensitive consumer data during the development of applications where such access was not necessary.
  1. Control access to data sensibly. Take reasonable steps to secure data, including by limiting access to the company’s network, restricting access to sensitive data, and limiting administrative access.
  • Goal Financialallegedly failed to implement reasonable restrictions on employee access to customers’ personal information, which resulted in personal information being transferred to third parties without authorization; and
  • Twitterallegedly granted administrative access to employees whose jobs did not require such access, thereby increasing the risk of hackers gaining administrative access via compromised employee credentials.
  1. Require secure passwords and authentication. To safeguard personal information, companies should require employees to use complex and unique passwords, store passwords securely, guard against brute force attacks, and address vulnerabilities in authentication mechanisms.
  • Twitterallegedly did not require employees to use hard-to-guess passwords;
  • Guidance Softwareallegedly stored user credentials in plain text;
  • Twitter – allegedly failed to prohibit employees from storing administrative passwords in plain text in their personal email accounts;
  • Lookout Services and Twitterallegedly failed to suspend or disable user credentials after multiple unsuccessful login attempts; and
  • Lookout Servicesallegedly failed to adequately assess the vulnerability of its web application to widely-known security flaws.
  1. Store sensitive personal information securely and protect it during transmission. Companies should encrypt sensitive data with technologies appropriate to the type of data, the context of collection, and the manner in which the data is processed.
  • Superior Mortgage Corporationallegedly failed to encrypt emails containing customers’ sensitive information;
  • ValueClickallegedly stored sensitive customer information in a database using an encryption method having significant vulnerabilities; and
  • Fandango and Credit Karmaboth companies allegedly failed to validate SSL certificates, thereby undermining the benefits of encrypted SSL communications.
  1. Segment your network and monitor who’s trying to get in and out. Companies should set up firewalls and intrusion detection mechanisms to prevent and identify unauthorized access to networks.
  • DSWallegedly did not appropriately restrict computers on in-store networks from connecting to computers on corporate networks or networks at other stores; and
  • Dave and Buster’s and Cardsystem Solutionsboth companies allegedly failed to implement reasonable measures (e.g., intrusion detection systems) to detect unauthorized access to their networks.
  1. Secure remote access to your network. If companies allow employees, clients, or service providers to access their networks remotely, they must reasonably secure access points.
  • Premier Capital Lendingallegedly failed to adequately evaluate a business client’s security practices before granting the client remote access to its network;
  • Settlement Oneallegedly granted clients access to an online portal without first ensuring that these clients had implemented basic security measures, such as firewalls and updated antivirus software;
  • Lifelockallegedly failed to install antivirus software on computers used to remotely access its network; and
  • Dave and Buster’sallegedly failed to restrict third-party access rights.
  1. Apply sound security practices when developing new products. Security begins with design. Companies should train their engineers in secure coding, follow platform security guidelines, verify the operations of privacy and security features, and test networks for common vulnerabilities.
  • MTS, HTC America, and TRENDnetallegedly did not train their employees in secure coding practices, which led to security vulnerabilities in software;
  • HTC America, Fandango, and Credit Karmaallegedly did not follow security guidelines issued by platforms, such as those contained in the iOS and Android guidelines for developers;
  • TRENDnetallegedly failed to test a feature that purportedly rendered camera feeds private; and
  • Guess? allegedly failed to test its web application for Structured Query Language injection attacks, a commonly known and reasonably foreseeable vulnerability.
  1. Make sure your service providers implement reasonable security measures. Supply chains present a wide range of information security risks. To mitigate these risks, companies should seek appropriate assurances regarding the security practices and capabilities of vendors.
  • GMR Transcriptionallegedly failed to require service providers to implement reasonable security measures, such as encrypting sensitive data; and
  • Upromiseallegedly failed to verify whether a toolbar developed by a service provider collected information consistent with Upromise’s privacy disclosures.
  1. Put procedures in place to keep your security current and address vulnerabilities that may arise. Keep ahead of the latest threats by updating and patching third-party software. Heed credible security warnings by moving quickly to fix them.
  • TJX Companiesallegedly failed to update their anti-virus software within a reasonable timeframe;
  • C Americaallegedly failed to implement processes for receiving and responding to reports of security vulnerabilities; and
  • Fandangoallegedly did not have effective processes in place for receiving and responding to security vulnerabilities.
  1. Secure paper, physical media, and devices. Many of the lessons that apply to network security also apply to paper records and physical media. Companies should secure sensitive paper files, protect devices that process sensitive information, maintain safety standards when transporting data, and dispose of sensitive data securely.
  • Gregory Navoneallegedly left boxes of sensitive consumer information unprotected in his garage;
  • LifeLockallegedly left faxes containing consumers’ personal information in easily accessible areas;
  • Accretive and CBR Systemsallegedly failed to prevent personal information from being transported without adequate security measures, making the information vulnerable to theft; and
  • Rite Aid, CVS Caremark, and Goal Financialallegedly disposed of sensitive information without rendering the information unreadable.

The FTC will be addressing its data security recommendations at two conferences this fall. The first of these conferences will occur in San Francisco on September 9th and will focus on security considerations for start-ups and developers. The second event will take place in Austin on November 5th; the focus of the Austin event has yet to be announced. The events will bring together experts to provide information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response. They will be free, open to the public, and will not require pre-registration.