A few months ago, the FTC issued a new guidance document entitled Start with Security, which provides a series of “lessons learned” by the FTC after pursuing more than 50 enforcement actions against companies which either engaged in deceptive or unfair management practices with respect to keeping personally identifiable information secure from outside access.
In light of the Third Circuit’s recent ruling in FTC v. Wyndham Worldwide Corporation, et al. that these guidance documents provide adequate notice to companies of what they should be doing to avoid being the subject of an FTC enforcement action, and given the fact that there have been almost 700 separate data breaches in the US during the first half of 2015, the measures in the FTC’s “lessons learned” document warrant close scrutiny. Below is a summary of the FTC’s “suggestions:”
I. Start with Security
Whether it is personal information on an employment application or customer credit card numbers, virtually every company today collects some sort of sensitive and confidential information. As a result, businesses should factor data security into their decision-making process from the very beginning and think through the implications of their decisions. Specifically,
- Don’t collect personal information that you do not need – Hackers cannot steal what you do not have. Take a close look at exactly what kinds of personal information your company collects and ask the question, “Do we really need this information?” If not, consider refining your practices to discontinue its collection.
- Hold onto information only as long as you have a legitimate business need – If you collect credit card numbers to process transactions, do you really need to keep it after the transaction is concluded? Sure, it may be more convenient for the customer the next time around, but is it worth the risk? Realistically consider what sensitive information you need to hold onto and securely dispose of anything extraneous.
II. Sensibly Control Access to Data
Obviously, companies want to keep personal information away from outsiders, but some think that their employees are a different matter altogether. Not so. The fewer people that have access to sensitive data, the less likely it is that a data breach will occur. Consider the following suggestions:
- Restrict access to sensitive data – If employees do not have to use personal information as part of their job, there is no need for them to have access to it. Consider segregating sensitive data onto separate servers or network areas and only providing access credentials to those areas to people who need to use that data.
- Limit administrative access – Although this is a less pervasive problem, some companies give administrative access (which allows a user to make system-wide changes to the company computer system) to virtually everyone that works there. Ensure that an employee’s level of administrative access is tailored to his/her job functions.
III. Require Secure Passwords and Authentication
You’ve probably heard this one before, but it bears repeating – good password “hygiene” can make a huge difference in terms of data security. The following are all good rules of thumb:
- Insist on complex or unique passwords – Passwords like qwerty or 121212 are not much better than no passwords at all. Consider requiring employees to create complex passwords that are relatively long (10-15 characters) and that have a random combination of letters (capital and lower case), numbers and special characters (!@#$%&*). Additionally, do not allow employees to use the same passwords for both business and personal accounts.
- Store passwords securely – Don’t make it easy for hackers to access passwords. Prohibit employees and customers from storing user credentials in a vulnerable format (like clear, readable text). Also consider the use of two-factor authentication to protect against password compromises.
- Guard against brute force attacks – A brute force attack occurs when a hacker uses an automated program to type an endless combination of characters until they luck into a password. This can easily be avoided by setting up a mechanism to suspend or disable a user account after a certain number of unsuccessful login attempts.
- Protect against authentication bypass – Test your security mechanisms for vulnerabilities that will allow hackers to gain access to your systems through a different, less considered method. There is no point in locking the front door if you leave the back door open.
IV. Store Sensitive Personal Information Securely and Protect It During Transmission
If you have to hold onto data for any period of time, it needs to be in a form that is accessible to the people who use it, but that cannot come at the cost of data security:
- Keep sensitive information secure throughout its life cycle – Security needs to be considered at all stages, not just while it is sitting on your computers. If your information travels a lot, make sure that it is not only secure during transit, but also at any and all final destinations.
- Use industry-tested and accepted methods – Just because “Jeff in IT” has devised a really cool encryption algorithm does not mean you should use it to protect your data. There are tried and tested encryption programs, as well as other pieces of data security software already on the market. Don’t reinvent the wheel.
- Ensure proper configuration – Don’t touch the settings! Encryption software needs to be properly configured to work at peak efficiency, so make sure that your IT department is on top of it. And do not give your employees the power to alter settings to suit their own convenience.
V. Segment Your Network and Monitor Who’s Trying to Get In and Out
Not everybody needs access to every area of your computer system, and you need to be able to catch intruders quickly and efficiently. Remember the following:
- Segment your network – This can be a big problem in multi-branch/multi-location situations, where everyone can communicate with everyone else. Store sensitive data in a separate, secure place on your network and restrict which computers can access that data; that way, if a hacker gets into one location, you can stop him/her at that point.
- Monitor activity on your network – Nothing beats good intrusion detection software for catching hackers early. Otherwise, you run the risk of data breaches going on for days, weeks or months and not even realizing it.
VI. Secure Remote Access to Your Network
It is one thing to implement strong data protection measures at the office, but what happens when you allow employees or clients or vendors to access your computer systems from outside of the office? You may want to consider these issues:
- Ensure endpoint security – If you allow employees to access sensitive information from home computers or personal laptops or mobile devices, consider implementing a BYOD (“Bring Your Own Device”) policy that requires the installation of certain firewall and anti-virus programs to protect against unauthorized access. For clients and vendors, you need to make sure that their data security policies and efforts are at least as robust as your own.
- Put sensible access limits in place – Not everyone who occasionally needs to get on your network should have an all-access, backstage pass. Consider restricting third-party access by location (certain IP addresses) or by time (granting temporary, limited access).
VII. Apply sound security practices when developing new products.
It is not just technology companies that are out there devising new digital products. Every industry sector is developing apps to further its own business goals and make the customer experience more convenient. But do not let convenience come at a cost during the development process.
- Train your engineers in secure coding – Engineers should be trained from day one how to spot and rectify potential security vulnerabilities in the products they are designing.
- Follow platform guidelines for security – Again, there is no need to reinvent the wheel, when platforms like Apple’s iOS and Google’s Android have already created guidelines for developers that include rules related to data security. Use it!
- Verify that privacy and security features work/test for common vulnerabilities – This may seem obvious, but in the rush to test all of the other cool features that your product is meant to offer, data security and privacy can often be sacrificed. Test the privacy and security features to make sure they work, at least against the more common and known threats that are out there.
VIII. Make Sure Your Service Providers Implement Reasonable Security Measures
Companies often outsource the processing of personal information, whether it is for customers (market analysis) or employees (payroll, insurance, etc.). If you allow third party vendors to have access to sensitive information that you have acquired, remember a few things.
- Put it in writing – Strong data security measures should be embedded in your contract with the vendor. Require provisions that require that certain security measures be put into place and clarify what will happen if your data does get compromised.
- Verify compliance – As much as you trust your service providers, do not simply “take their word for it” when it comes to data security. Ask questions and check on their systems during the development process.
IX. Put Procedures in Place to Keep Your Security Current and Address Vulnerabilities that May Arise
Just because you have implemented all of these fancy new security features does not mean that you are finished. Effective data security requires an ongoing evaluative process:
- Update and patch third-party software – Nothing undermines security like outdated software, so apply patches from your third-party software suppliers as soon as possible. And have a process in place for doing so – letting individual employees apply the patches ad hoc is a recipe for disaster.
- Heed credible security warnings and move to quickly fix them – If someone points out a potential security vulnerability, do not put off investigating it or the vulnerability could escalate into a full-blown data intrusion. Consider having devoted channels of communication (like a dedicated e-mail address) for reporting security problems to allow for prompt investigation and remediation.
X. Secure Paper, Physical Media and Devices
With such a heavy emphasis on digital records, it is easy to forget that we still store a lot of sensitive information on paper, CDs and backup tapes. Moreover, other devices besides your typical computer system can have absorb, process and transmit such information:
- Securely store sensitive files – Do not leave sensitive information “lying about,” especially if third parties (customers, building staff, cleaning crews) have access to your offices. Locked file cabinet/office and clean desk policies can go a long away to minimizing this type of careless disclosure.
- Protect devices that process personal information – Securing information stored on your network won’t protect your customers if the data has already been stolen through the device that collects it. Attacks that target point-of-sale devices (like PIN entry devices) are now fairly common, so take reasonable steps to combat them.
- Keep safety standards in place when data is en route – It is astonishing the number of times we hear about employee laptops being lost or stolen, and it seems to happen more with mobile devices. You should avoid having employees take sensitive information abroad, but if you must, make sure that it is under lock and key and out of site whenever possible. Also, consider the use of Virtual Private Networks to further secure information – if the laptop is stolen, the thief will not be able to get anything off of it.
- Dispose of sensitive data securely – Do not throw those personal documents in the dumpster behind the office - shred, burn or pulverize them to make sure that any paper data you no longer need has been rendered completely unreadable. If the data exists on a device like a photocopier (yes, modern photocopiers often have hard drives that store an image of every document that has been copied on it), use available technology to completely wipe it.
The steps outlined in the FTC guidance document are not meant to be exhaustive. For example, employee training is a critical component of any good data security program, but it is not specifically mentioned in this guidance document as a separate consideration. Furthermore, companies in regulated industries like healthcare and financial services will be bound by specific data protection regulations not included here. Also, where credit card numbers are being stored, the payment card industry has promulgated its own security measures that will need to be consulted. Still, the “lessons learned” document serves as an excellent place to begin a conversation about data security and the initial first steps that need to be taken.
Eric Levy is a Senior Trial Attorney in Gardere’s Dallas office, where he practices Internet and Technology Law with a special focus on issues relating to privacy and data security. For more information, contact Mr. Levy at firstname.lastname@example.org.