[BreachExchange] FTC Provides Guidance on Reasonable Data Security Practices (Part I of III)

[Inga Goddijn]

http://www.jdsupra.com/legalnews/ftc-provides-guidance-on-reasonable-18941/

 Over the past 15 years, the Federal Trade Commission (FTC) has brought
more than 60 cases against companies for unfair or deceptive data security
practices that put consumers’ personal data at unreasonable risk.  Although
the FTC has stated that the touchstone of its approach to data security is
reasonableness, the FTC has faced considerable criticism from the business
community for lack of clarity as to as to what it considers reasonable data
security.

Earlier this year, FTC Acting Chairman Maureen Ohlhausen pledged greater
transparency concerning practices that contribute to reasonable data
security.  As a follow-up to Ohlhausen’s pledge, the FTC published a weekly
blog over the past few months, Stick with Security, that focuses on the ten
principles outlined in its Start with Security Guide for Businesses. In the
blog, the FTC uses examples taken from complaints and orders to offer
additional clarity on each principle included in the Start with Security
guidelines.

This is the first of three articles reviewing the security principles
discussed by the FTC in its Stick with Security blog.

Start with Security

Don’t collect personal information you don’t need.  After a security
incident, many businesses realize that collecting sensitive information
just because a company has the ability to do so is no longer a good
business strategy.  In addition, it is easier for companies to protect a
limited set of sensitive data than large amounts of personal information
located on a company’s network.  Consequently, a company that limits the
data it collects may be better positioned to demonstrate that its security
practices are reasonable.  For example, following one security breach that
resulted in the exposure of information of over 7,000 consumers, the FTC
decided not to pursue a law enforcement action, in part, because the
company had deliberately limited the sensitive information it collected.

Hold on to information only as long as you have a legitimate business
need.  Companies should routinely review the data it has collected and
dispose of data that is no longer needed.  As an example of inadequate data
purging practices, the FTC cited the example of a large company that stored
personal information collected at recruiting fairs on an unencrypted
company laptop. The company used the same laptop at each recruiting event,
never removing sensitive information from the laptop.  The company should
have, as the FTC points out, removed candidates’ sensitive information that
was no longer needed.

Don’t use personal information when it’s not necessary.  The FTC recognizes
that companies have legitimate business reasons to use sensitive data,
however, it stresses that companies should not use sensitive information in
contexts that create unnecessary risks.

Train your staff on your standards – and make sure they’re following
through.  Company staff are both the greatest security risk and also a
company’s first line of defense against security breaches. Training is not
a one-time endeavor – companies must continue to train staff on new
security practices and provide refresher training on current company
policies.  The FTC also stressed the importance of deputizing staff to
provide suggestions and practical advice that C-suite executives may not
have.

When feasible, offer consumers more secure choices.  Companies should make
it easy for consumers to make choices that result in greater security of
their data, and should consider setting default settings for their products
at the most protective levels.  As an example of inadequate security
practices, the FTC cited a manufacturer that configured the default
settings on its routers so that anyone online could gain access to the
files on the storage devices connected to the routers.  The manufacturer
failed to adequately explain the default settings to consumers, and could
have possibly avoided unauthorized access had it configured the default
setting in a more secure manner.

Control access to data sensibly.

Restrict access to sensitive data.  Employers should limit the access
employees and other individuals have to sensitive data, both through
physical access (e.g., locking a desk drawer) or by restricting sensitive
network files to a limited number of employees with password protected
access.

Limit administrative access.  The FTC compares a company’s need to
safeguard and limit access to administrative rights to a bank’s need to
safeguard the combination to the bank’s vault.  Limiting the number of
employees who have administrative access can reduce a company’s security
risk.

Require secure passwords and authentication

               Insist on long, complex and unique passwords and store
passwords securely. Companies should require that employees create strong,
unique passwords.  In addition, companies should configure consumer
products so that consumers are required to change the default password upon
first use. Of course, strong passwords are of little use if passwords are
not stored properly and are compromised. In addition, Companies can guard
against brute force attacks by configuring their network so that user
credentials can be suspended or disabled after a specified number of
unsuccessful login attempts.

               Protect sensitive accounts with more than just a password.
Because individuals often use the same passwords for various online
accounts, such login credentials can leave companies and consumers
vulnerable to credential stuffing attacks.  Companies should consider
requiring multiple authentication methods for access to accounts or
applications with sensitive data.

Protect against authentication bypass.  If hackers are not able to access
their targeted application through the front door, they will look for other
available access points.  One way to reduce the risk of authentication
bypass is to limit entry to an authentication point that can be monitored
by the Company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171016/3aa8317a/attachment.html>