One of my law firm partners, Montserrat Miller, recently wrote a client alert on the US Federal Trade Commission’s guide on data security. As Irish and Northern Irish companies expand to the US–even if it’s just handling US-origin data–they should keep these lessons in mind. Here’s Montserrat’s client alert:
Data Security 101 for Business – Guidance from the Federal Trade Commission
Recently the Federal Trade Commission (FTC) issued a guide, Start with Security: A Guide for Business, which pulls from lessons learned from the 50+ data security enforcement actions that the FTC has announced. To be clear, these actions are settlements and not court orders. Nonetheless, the “ten lessons” they provide in the guide are worth reading and thinking about how they apply to your company. Below top ten lessons are (literally) taken from the FTC’s guide and I then add a few summary sentences:
- Start with security — when it comes to data collection, use and retention, less is better. As the guide says, “by making conscious choices about the kind of information you collect, how long you keep it, and who can access it, you can reduce the risk of data compromise down the road.” If you don’t need driver’s license information or Social Security numbers on a particular form…don’t collect them just to collect them.
- Control access to data sensibly — not all employees need to have access to everything, be it paper files, the network, administrative controls. Pull the reins on that horse, cowboy! Limit and restrict access to data, especially sensitive data.
- Require secure passwords and authentication — the word “password” is not a secure password. Enough said. Also, implement a policy to suspend or disable accounts after repeated log in attempts to reduce the risk of an attack being successful. Test for common vulnerabilities and widely known security flaws, such as “predictable resource location” where hackers can bypass the web app’s authentication screen and gain unauthorized access.
- Store sensitive personal information securely and protect it during transmission — in other words, be in it for the long haul and protect data at all stages. Make sure your company properly implements encryption and SSL protocols, and use industry-tested methods not some $9.99 summer special.
- Segment your network and monitor who’s trying to get in and out — limit access and have in place strong intrusion detection and prevention tools.
- Secure remote access to your network – remote access is a curse and a blessing, depending on how you look at it. It also challenges a company’s data security policies and procedures. Ensure endpoint security and have firewalls and updated antivirus software in place. Also, limit third party access to what is needed.
- Apply sound security practices when developing new products — if a company is pushing out a new mobile app or software, they need to ensure their engineers are trained in secure coding practices, don’t turn off SSL certification validation and test for common vulnerabilities. The FTC cites the Open Web Application Security Project as a resource for identifying commonly-known vulnerabilities. Finally, a big one for the FTC — do what you say you will do. In other words, if your company’s mobile app or software features specific privacy and security settings, the product needs to live up to those features/representations.
- Make sure your services providers implement reasonable security measures — in other words, company’s need to police their vendors to ensure their data security practices are reasonable. Security standards should be incorporated into the terms of service agreements and compliance should be audited.
- Put procedures in place to keep your security current and address vulnerabilities that may arise — have policies and procedures in place to update/patch third party software as well as to receive and act on security alerts.
- Secure paper, physical media, and devices — not all data is collected and maintained in electronic format. Data security applies to hard copy documents as well and confidential information there needs to be protected every bit as much as if it is in electronic form. When sensitive data is no longer needed, company’s should properly dispose of it by shredding, burning or pulverizing documents if paper documents. Throwing documents with sensitive personal information in the trash can is strictly verboten.
Not rocket science, but given the enforcement actions brought by the FTC, companies suffer from these mistakes and failures. For more details on each point above, and to learn about some of the companies impacted by these enforcement actions, click here to read the guide.