May 26, 2020

FTC Releases “Start with Security” Guide to “Practical Lessons” From Data Security Enforcement Actions

As part of its ongoing outreach efforts to educate businesses about the importance of data security practices, the FTC has released a list of “10 practical lessons” drawn from its previous data security enforcement actions.  The list, entitled “Start with Security: A Guide for Business,” acknowledged that the FTC’s 50-plus data security enforcement actions are only binding on the individual companies subject to each action, but states that “learning about alleged lapses that led to law enforcement can help your company improve its practices.”  In addition to ten “lessons,” the list included several subcategories of advice for each lesson drawn from prior FTC enforcement actions.  As with all FTC “best practice” guides, this document does not state binding rules of law, but is a view into the FTC’s thinking on data security enforcement.

Here’s a brief overview of the matters included in the FTC’s list.

  1. Start with Security:  Building on the FTC’s prior emphasis on privacy by design, the first item in the list encourages companies to build security “into the decisionmaking in every department of your business.”  The report notes that companies should refrain from collecting personal information they don’t need, retain the information only as long as a legitimate business need exists, and refrain from using personal information when it’s not necessary.  The FTC pointed to its enforcement action against BJ’s Wholesale Club as an example of an unreasonable risk created by unnecessary retention of personal information, which hackers subsequently gained access to.

  2. Control Access to Data Sensibly:  This topic focuses on the need to not only protect data from outsiders, but insiders as well.  According to the FTC’s post, “[n]ot everyone on your staff needs unrestricted access to your network and the information stored on it.”  Access to sensitive data should be restricted to employees who need to access that data as part of their employment duties, and administrative access (described as access that “allows a user to make system-wide changes to your system”) should be restricted employees who require that access as part of their job. For example, the FTC’s enforcement action against Twitter faulted the company for increasing the risk of an eventual breach by granting administrative access over its system to most of its employees.

  3. Require Secure Passwords and Authentication:  The FTC recommends that companies that store personal information on their networks use strong authentication procedures, including sensible password “hygiene,” to protect that information from unauthorized access.  Companies should insist on “complex and unique” passwords and train their employees “not to use the same or similar passwords for both business and personal accounts.”  Passwords should never be stored in plain text, according to several FTC enforcement actions, and companies should also “consider other protections — two-factor authentication, for example — that can help protect against password compromises.”  The report also suggests that companies should also guard against brute force attacks by suspending or disabling accounts after repeated login attempts and protect against methods of bypassing their authentication safeguards by testing for common security vulnerabilities.

  4. Store Sensitive Personal Information Securely and Protect it During Transmission:  The FTC urges companies to utilize “strong cryptography to secure confidential material during storage and transmission,” including TLS/SSL encryption, data-at-rest encryption, or an iterative cryptographic hash.  The FTC also emphasized the need to ensure that the employees responsible for data security understand how the company uses sensitive data and have the experience to react appropriately in different situations.  This risk is not limited to transmissions outside of a company’s network — in its enforcement action against Superior Mortgage Corporation, the FTC faulted the company for retaining sensitive personal information within the company’s offices in clear text, even though the information was encrypted in transmission outside of the network.  Companies should also utilize industry-standard and accepted security methods, the report noted, as the FTC has previously pursued an enforcement action for using a “proprietary” form of encryption with significant vulnerabilities.  Finally, companies should ensure that their encryption methods are configured properly.  The FTC recently entered into settlements with Credit Karma and Fandango for disabling SSL certificate validation, a critical step that undermined their apps’ use of SSL encryption.

  5. Segment Your Network and Monitor Who’s Trying to Get In and Out:  Companies should consider utilizing firewalls and similar tools to segregate different portions of their network, the report notes, with a particular emphasis on housing sensitive data in a separate, secure place on the network.  The staff also suggests that companies should utilize effective intrusion detection and monitoring tools to reduce the risk or breadth of a data compromise by detecting early signs of malicious activity.  For example, in its enforcement action against Dave & Buster’s, the FTC alleged that the company did not use an intrusion detection system or monitor its system logs for suspicious activity, thereby expanding the breadth of a payment card breach.

  6. Secure Remote Access to Your Network:  Due to the increased use of mobile devices in the workplace, the FTC suggested that companies that grant remote access to their networks must pay special attention to securing these access points.  The FTC has pursued enforcement actions against companies that failed to ensure proper endpoint security for computers with access to their networks.  For example, in its enforcement cases against Premier Capital Lending and Settlement One, the FTC faulted each company for failing to properly assess and ensure that its clients had proper security measures in place before granting them access to sensitive information on the company’s networks and systems.  The report suggests that companies should impose sensible access limits, including restricting third-party network connections to specified IP addresses or granting temporary, limited access.

  7. Apply Sound Security Practices When Developing New Products:  Companies should start, the report suggests, by adequately training their employees responsible for product development in secure coding practices, as several companies have faced FTC enforcement actions for failing to implement “readily available” security mechanisms to protect sensitive information. The FTC has also pursued enforcement actions against companies, such as Snapchat and TRENDnet, for failing to verify that advertised security and privacy features functioned as intended.  Finally, the FTC’s staff endorsed the use of testing for common vulnerabilities, such as SQL injection attacks and other vulnerabilities identified through the Open Web Application Security Project.

  8. Make Sure Your Service Providers Implement Reasonable Security Measures:  Prior to hiring a third party, the report states that companies should be “candid” about their security expectations and take “reasonable steps” to ensure that the third party meets the appropriate security requirements.  Companies should not only insist that appropriate security standards are part of written contracts with third parties, the report suggests, but also should verify compliance with these provisions.  For example, the FTC pursued an enforcement action against Upromise after it failed to verify that a third-part developer had complied with the terms of its contract to develop a browser toolbar, leading to the clear-text transmission of sensitive information.

  9. Put Procedures in Place to Keep Your Security Current and Address Vulnerabilities that May Arise:  Companies should apply updates and patches to third-party software on their networks as they become available to avoid unnecessary vulnerabilities.  Although the FTC acknowledges that companies may need to prioritize patches by severity, companies should have a “reasonable process in place to update and patch” third-party software.  Companies also should have an effective process in place to receive and address security vulnerability reports, the report notes, and should consider developing and publicizing a specific channel, such as a dedicated email address, to receive vulnerability reports and flag them to the appropriate security personnel.

  10. Secure Paper, Physical Media, and Devices:  The FTC also urges companies to consider physical security for hard drives, laptops, flash drives, disks, and other similar items alongside network security measures.  Companies should store sensitive hard-copy files in physically secure locations and shred, burn, or otherwise render documents unreadable, as well as using available technology to wipe devices clean after they are no longer in use.  Companies should also ensure that devices that collect sensitive information, such as PIN pads, are secured, and that safety standards are observed while physical media is in transit.  For example, the report notes that companies should utilize mailing methods that allow for package tracking, limit instances when employees need to take sensitive data outside of the workplace, and ensure that employees keep sensitive information out of sight and physically secured whenever possible.

As part of its broader “Start With Security” initiative, the FTC is planning a series of conferences on security issues aimed at small- to medium-sized businesses.  The first conference, scheduled for September 9 in San Francisco, will focus on start-ups and developers and cover topics such as security by design, common security vulnerabilities, strategies for secure development, and vulnerability response.  The FTC has also launched a new website that consolidates its data security advice from prior cases, public statements, advocacy filings, and other activities.

© 2020 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Caleb Skeath, data and cybersecurity lawyer, Covington
Associate

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation.

Mr. Skeath specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and...

202.662.5119