FTC Tells Business “Start With Security”

computer virus-41379_640This scary symbol for computer virus marks the Federal Trade Commission’s new “Start with Security: A Guide for Business” issued on June 30, 2015. The Guide reviews over 50 data security enforcement settlements and provides lessons learned for business from those cases. The Guide lists 10 lessons on how business can reduce vulnerabilities in their online networks and data systems. Here are the highlights:

 

  1. Start with Security
  • Factor data security into your decision making in every department: personnel; sales; accounting; IT, etc.
  • Don’t collect personal information you don’t need. (Citing RockYou where the company collected unneeded email passwords and stored them in clear text)
  • Hold on to information only as long as you have a legitimate business need. (Citing BJ’s Wholesale Club where the company stored customer credit and debit card data for 30 days after purchase)
  • Don’t use personal information when it’s not necessary. (Citing Accretive and foru International where sensitive information of actual customers was used in employee training and by application development service providers)

 

  1. Control access to data sensibly
  • Put controls in place to make sure employees have access to sensitive data only on a “need to know” basis.
  • Restrict employee access to sensitive data. (Citing Goal Financial where employees transferred over 7,000 consumer files to third parties without authorization)
  • Limit administrative data access. (Citing Twitter where almost all employees had administrative control over Twitter’s system)

 

  1. Require secure passwords and authentication
  • Insist on complex and unique passwords. (Citing Twitter where employees were allowed to use common dictionary words as passwords and passwords from other accounts)
  • Store passwords securely. (Citing Guidance Software where network user credentials were stored in readable text; Reed Elsevier where customers where allowed to store user credentials in unprotected cookies on their computer; and Twitter where there were no policies prohibiting employees from storing administrative passwords in plain text)
  • Guard against brute force (password guessing program) attacks. (Citing Lookout Services; Reed Elsevier; and Twitter where company policies did not suspend or disable user credentials after a certain number of unsuccessful login attempts)
  • Protect against authentication bypass. (Citing Lookout Services where the company failed to adequately test its web application for widely-known security flaws)

 

  1. Store sensitive personal information securely and protect it during transmission
  • Use strong cryptography to secure confidential material during storage and transmission. (FTC notes possibilities may include Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption; data-at-rest encryption, or an iterative cryptographic hash.)
  • Keep sensitive information secure throughout its lifecycle. (Citing Superior Mortgage Corporation where transmitted encrypted sensitive customer information was decrypted by a service provider once it reached the company’s server and transmitted further)
  • Use industry-tested and accepted methods. (Citing ValueClick where the company used non-standard proprietary encryption using a simple alphabetic substitution)
  • Ensure proper configuration. (Citing Fandango and Credit Karma where the companies mobile apps used SSL encryption but turned off SSL certificate validation without other compensating security measures)

 

  1. Segment your network and monitor who’s trying to get in and out
  • Consider using tools like firewalls to segment your network, computers and the Internet. (Citing DSW where the company did not sufficiently limit computers in one in-store network from connecting to computers on other in-store and corporate networks and accessing personal information)
  • Monitor activity on your network with intrusion detection and prevention tools. (Citing Dave & Buster’s and Cardsystem Solutions where the companies did not use intrusion detection and network monitoring systems)

 

  1. Secure remote access to your network
  • If you give employees, clients, or service providers, remote access to your network, take steps to secure those access points.
  • Ensure endpoint security. (Citing Premier Capital Lending, Settlement One, and Lifelock where the companies did not assess remote user’s network security measures such as firewalls and antivirus programs)
  • Put sensible access limits in place. (Citing Dave & Buster’s where the company did not adequately restrict third-party access to its network)

 

  1. Apply sound security practices when developing new products (such as mobile applications)
  • Train your engineers in secure coding. (Citing MTS, HTC America, and TRENDnet where employees where not trained in secure coding)
  • Follow platform guidelines for security. (Citing HTC America, Fandango, and Credit Karma where the companies did not follow explicit platform secure development guidelines)
  • Verify that privacy and security features work. (Citing TRENDnet where the company failed to test an option to make a consumer’s camera feed private and Snapchat where the company advertised that messages would “disappear forever” but failed to ensure the accuracy of that claim)
  • Test for common vulnerabilities like those identified by the Open Web Application Security Project (OWASP). (Citing “more than a dozen FTC cases” where businesses failed to adequately assess their applications for well-known vulnerabilities and Guess? where the business failed to assess whether its web application was vulnerable to Structured Query Language (SQL) injection attacks)

 

  1. Make sure your service providers (including data processors and app developers) implement reasonable security measures
  • Before hiring someone, be candid about your security expectations
  • Take steps to select providers who are able to implement appropriate security measure and monitor that they’re meeting your requirements.
  • Put it in writing. (Citing GMR Transcription where company hired service providers to transcribe sensitive audio files but failed to require the service provider to take reasonable security measures)
  • Verify compliance. (Citing Upromise where the company hired a service provider to create a tool bar but failed to verify the service provider removed any personally identifying information before transmission as promised)

 

  1. Put procedures in place to keep your security current and address vulnerabilities that may arise
  • Update and patch third-party software you are using regularly. (Citing TJX Companies where the company failed to update its anti-virus software)
  • Heed credible security warnings and move quickly to fix them. (Citing HTC America where the company had no process for receiving reports about data security vulnerabilities and Fandango where the company relied on its general customer service system to respond to warnings about security risks which it did inadequately)

 

  1. Secure paper, physical media and devices
  • FTC notes network security is critical, but many of the same lessons also apply to paperwork and physical media like hard drives, laptops, flash drives and disks.
  • Securely store sensitive files. (Citing Gregory Navone where sensitive consumer information was stored in the company owner’s garage and Lifelock where faxed documents with consumers’ personal information were left in open and easily accessible areas. )
  • Protect devices that process personal information. (Citing Dollar Tree from 2007 and noting that attacks targeting point-of-sale devices are now common and well-known)
  • Keep safety standards in place when data is en route. (Citing Accretive and CBR Systems in which unencrypted laptops and other computer equipment where stolen from employees’ cars)
  • Dispose of sensitive data securely. (Citing Rite Aid and CVS Caremark where the company threw sensitive personal information including prescriptions in dumpsters and Goal Financial where the company sold surplus hard drives with sensitive customer personal information in clear text)

Want more information? Author Linda Priebe is a partner in Culhane Meadows’ Washington DC office where she provides advice and counsel to social media advertisers and marketers, online retailers, regulated industries, employers, federal contractors, and law firms regarding compliance with laws regarding data privacy and security and use of social media in business. She can be reached at LPriebe@CulhaneMeadows.com

*Culhane Meadows is ranked by U.S. News/Best Law Firms in Technology Law, Bankruptcy/Reorganization Law, and Information Technology Law. This website and the communications herein may be considered attorney advertising. Previous results are not a guarantee of future outcome. This website is for informational purposes only and does not constitute legal advice. The information herein is not intended to create an attorney-client or similar relationship. Until you establish such a relationship and receive an engagement letter, you have not hired a Culhane Meadows attorney nor become a client of the firm. Whether you are a new or existing client of the firm, Culhane Meadows must determine that there is no conflict of interest and that it is willing and otherwise able to accept the new engagement before representing you on a new matter. Only if and after Culhane Meadows has informed you it is willing and able to accept your new matter should you send the firm any information or documents that you consider private or confidential. Such information will not be treated as private, confidential or otherwise protected from disclosure until Culhane Meadows has communicated in writing that it is willing and able to accept your new matter and provide you with legal counsel. Whether you need legal services and which lawyer or law firm you select are important decisions that should not be based on this website alone.