While there is no generally applicable federal law in the United States requiring all businesses to take particular steps to secure their sensitive data, the Federal Trade Commission, has investigated and penalized numerous companies for failing to implement "reasonable" data security standards. In an effort to help guide U.S. businesses on the question of what constitutes "reasonable" security measures, the FTC launched a "Start with Security Initiative" on June 30th, to provide information to businesses about data security and the protection of consumer information. The initiative comprises three elements: a publication containing lessons from more than 50 data security cases brought by the FTC; a series of educational conferences across the country aimed at small- and medium-sized businesses in various industries; and a website that consolidates the Commission's data security information for businesses, which can be found here.

This alert summarizes the ten over-arching recommendations addressed in the FTC's "Start with Security" publication and the practical steps you can take to implement these recommendations and reduce your company's data security risks.

1) Start with Security.

Every department across your company should factor data security into decision-making, thinking carefully about the kind of information to collect, how long to keep it, and who can access it.

  • If you don't need it, don't collect it. The best way to avoid a data breach is to avoid collecting so-called "personally identifiable information" (PII) in the first place. For example, do you really need an applicant's social security number just to conduct an interview? What about a user's email address and password? The FTC went after one company, RockYou, for collecting email passwords from users as part of a registration process and storing them in clear text, creating an unnecessary security risk for the company.
  • If you don't need it, don't use it. Once you have collected sensitive data, think twice before removing it from a secure location. Always ask: Can you do your work without exporting a sensitive data field? And avoid using PII for non-essential purposes. The FTC cites one company that used real people's PII in employee training sessions, and another in which the company gave service providers access to sensitive customer data without good reason. In both cases, the FTC found that the company could have avoided the risk by using fictitious information for training or development purposes.
  • Delete data. Very often, companies store more data than they need, and for longer than they need it. Consider the risks of failing to delete sensitive data when it's no longer needed, and create and implement appropriate document retention policies. In the FTC action against BJ's Wholesale, the FTC found that the company collected customers' credit and debit card information to process retail transactions, but kept the information for 30 days without any legitimate business need.

​2) Control Access to Data Sensibly.

  • Restrict access to sensitive data. Segregate sensitive data and limit access, and grant employees access only on a "need to know" basis. In a case against Goal Financial, the FTC alleged that the company failed to restrict access to personal information stored in paper files and on its network, resulting in the transfer of more than 7,000 consumer files containing sensitive information to third parties without authorization.
  • Limit administrative access. Administrative access allows a user to make system-wide changes and should be limited to employees who need it to do their jobs. In one action, the FTC alleged that a company gave almost all of its employees administrative control that included the ability to reset user account passwords and view users' private information.

3) Require Secure Passwords and Authentication.

  • Insist on complex and unique passwords. Even with a robust security system, it's risky to permit passwords like "123456" or passwords that use common dictionary words, or to permit use of the same passwords for multiple accounts.
  • Store passwords securely. In many respects, passwords should be treated the same as sensitive personal information – and they should not be stored in clear, readable text. The FTC cited insecure storage of network credentials in its cases against Reed Elsevier and Guidance Software. The FTC also recommends that businesses consider implementing additional protections, such as two-factor authentication.
  • Guard against "brute force" attacks. Companies should suspend or disable a user's credentials after a certain number of unsuccessful login attempts.
  • Protect against authentication bypass. Test your systems for commonly known vulnerabilities that would allow hackers to bypass a company's authentication screen and gain unauthorized access.

4) Store Sensitive Personal Information Securely and Protect It During Transmission.

  • Secure Data in All Stages. Most data is not collected and stored in a single location for the duration of its use, but is transmitted for business purposes both within the company and outside of the company (e.g., to a bank processor to process a retail transaction). In a case brought by the FTC against Superior Mortgage Corporation, there was evidence the company used SSL encryption to secure sensitive data during transmission from the customer's web browser and the business's web server, but the data was then decrypted and sent in clear, readable text to the company's headquarters.
  • Don't Reinvent the Wheel. Use industry-tested and accepted methods of data protection when they are available. The FTC cites the ValueClick case as an example of this principle. There, the company used a non-standard proprietary form of encryption, which had not been widely tested and was subject to significant security vulnerabilities.
  • Ensure Proper Configuration of Security Measures. And test to make sure they are operating appropriately.

5) Segment Your Network and Monitor Network Activity.

  • Implement Technical Controls to Segment Network. The key lesson here is to keep your most sensitive data in a separate secure place on your network, so that if a hacker does gain illegal access they will be less likely to cause harm. This is an issue that has surfaced in many of the most publicized retailer data breaches and in the FTC's case against DSW: an insufficiently segmented network can allow hackers to leverage access from one in-store network to another in-store network or the company's corporate network.
  • Install Intrusion Detection. Intrusion Detection Systems alert companies to suspicious attempts to access or gain entry to the company's networks. In addition to implementing such systems, companies should regularly monitor the system logs that are produced to identify suspicious activity or trends over time.

6) Secure Remote Access to Your Network.

  • Ensure Endpoint Security. Connecting to a network from remote devices such as laptops or mobile phones creates a potential entry point for security threats. The FTC cites numerous cases (Premier Capital Lending, Settlement One, Lifelock) in which the challenged companies failed to ensure that companies with remote access to their systems had appropriate endpoint security. One way to improve endpoint security is to make sure clients that have access to your company's network have basic security measures in place, such as firewalls and updated anti-virus software.
  • Put Sensible Access Limits in Place. In the words of the FTC, "not everyone who might occasionally need to get on your network should have an all-access, backstage pass." Common ways to restrict third-party access to your network are to limit access to certain trusted IP addresses, or to grant temporary, limited access (which expires after a set period of time, for example).

7) Don't Forget About Security for New Products.

  • Train Engineers in Secure Coding and Follow Platform Security Guidelines. These tips follow on the FTC's guidance to implement " privacy by design" and bake privacy considerations directly into all new product features right from the start.
  • Test Your Products. Confirm that privacy and security features work and test for commonly known vulnerabilities, such as those identified by the Open Web Application Security Project.

8) Make Sure Your Service Providers Implement Reasonable Security Measures.

  • Put it in Writing. Insist that your service providers take reasonable security measures (for example, encryption or segregation of your company's data) as part of your contracts.
  • Verify Compliance. Ensure that someone, whether it's the company or an independent third party, has an opportunity to audit your service provider's compliance with the security practices it has committed to follow.

9) Update Security Practices.

  • Update and Patch Third Party Software. One of the issues in the widely publicized TJX data breach was the company's failure to update its anti-virus software. Old anti-virus software increases the risk that hackers can exploit known vulnerabilities or overcome the company's security defenses.
  • Heed and Resolve Legitimate Security Warnings. Your company should have a process in place for regularly reviewing and resolving reports of security vulnerabilities.

10) Secure Paper, Physical Media, and Devices.

  • Implement Physical Controls. While data breaches often elicit images of hackers gaining entry into a network, many breaches result from stolen paper files, or stolen computers and portable media. In the Lifelock case, the FTC charged that the company left faxed documents which included customers' sensitive personal information in an open and easily accessible area. Employees must understand the need to securely store files, lock doors, lock laptops containing sensitive data to desks, and lock portable media in desks.
  • Secure Data that Leaves the Office. The same security considerations that apply to data in the office should also apply when you dispose of data or transmit data to another location. According to the FTC complaints in the Rite Aid and CVS Caremark cases, for example, the companies placed sensitive personal information, like prescriptions, in dumpsters.

www.fkks.com

This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.