For the Federal Trade Commission’s second blog post in its “Stick with Security” series, the agency discussed how to maintain a focus on security, regardless of the size of a business or the type of data it handles.
The FTC proffered five steps that can help businesses ensure that their data is secure. First, don’t collect personal information you don’t need. “If you don’t ask for sensitive data in the first place, you won’t have to take steps to protect it,” wrote Thomas B. Pahl, acting director of the FTC’s Bureau of Consumer Protection.
As an example, the agency used a local garden center that introduced a frequent-buyer program using an application that asked customers for personal information, including Social Security numbers. Because the store had no reason to collect Social Security numbers, “it’s taking an unnecessary risk by asking for information in the first place and exacerbating that risk by keeping customers’ applications on file,” the FTC said.
In another example, the agency demonstrated how a tire shop that experienced an information breach for about 7,000 customers could avoid agency enforcement by retaining only a minimal amount of data—just names, loyalty numbers for the shop and the date of last tire rotation.
Next up: Hold on to information only as long as you have a legitimate business need, Pahl wrote. Make it a practice to review the data in your possession periodically, assess what should be maintained and securely dispose of what is no longer needed. Companies shouldn’t maintain data about employment candidates it elects not to hire, for example.
The FTC also advised that personal information should not be used when it’s not necessary, and provided as an example the story of a pet supply company looking to design an app. Instead of creating mock customer files to send to the app developer for the project, the company created an unnecessary risk by sharing real account files with names, addresses and financial information.
The blog post encouraged staff training and follow-through, noting company employees are the greatest risk to the security of sensitive information, and also the best defense against unauthorized access. Training, enacting sensible monitoring procedures to ensure compliance and conducing refresher courses will all serve a business well, the FTC said. The agency also suggested training IT staff to block former employees’ access immediately upon their departure.
Finally, businesses should offer consumers more secure choices when feasible. “Design your products to collect sensitive information only if it’s necessary for functionality and clearly explain your practices to consumers up front,” Pahl wrote. “Consider how you can use default settings, setup wizards, or toolbars to make it easier for users to make more secure choices.”
To read the FTC’s blog post, click here.
Why it matters: After explaining the new series and why an investigation into a breach may not always result in agency law enforcement, the second post began addressing the principles in its “Start with Security” guidance. It discussed the importance of collecting sensitive information only when necessary, protecting the data maintained and training staff to carry out appropriate policies. For the next issue, the FTC will turn its attention to the ways access to data can be sensibly controlled.